deleted modules (#6)
This commit is contained in:
Родитель
861f11be92
Коммит
f8f4b524fc
|
@ -1,85 +0,0 @@
|
|||
@sys.description('Required. The IDs of the principals to assign the role to.')
|
||||
param principalIds array
|
||||
|
||||
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
|
||||
param roleDefinitionIdOrName string
|
||||
|
||||
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
|
||||
param resourceId string
|
||||
|
||||
@sys.description('Optional. The principal type of the assigned principal ID.')
|
||||
@allowed([
|
||||
'ServicePrincipal'
|
||||
'Group'
|
||||
'User'
|
||||
'ForeignGroup'
|
||||
'Device'
|
||||
''
|
||||
])
|
||||
param principalType string = ''
|
||||
|
||||
@sys.description('Optional. The description of the role assignment.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
|
||||
param condition string = ''
|
||||
|
||||
@sys.description('Optional. Version of the condition.')
|
||||
@allowed([
|
||||
'2.0'
|
||||
])
|
||||
param conditionVersion string = '2.0'
|
||||
|
||||
@sys.description('Optional. Id of the delegated managed identity resource.')
|
||||
param delegatedManagedIdentityResourceId string = ''
|
||||
|
||||
var builtInRoleNames = {
|
||||
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
|
||||
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
'Avere Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')
|
||||
'Avere Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')
|
||||
'Backup Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')
|
||||
'Backup Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')
|
||||
'Cosmos DB Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')
|
||||
'DevTest Labs User': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')
|
||||
'DocumentDB Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')
|
||||
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
|
||||
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
|
||||
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
|
||||
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
|
||||
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
|
||||
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
|
||||
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
|
||||
'Network Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')
|
||||
'Private DNS Zone Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')
|
||||
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
|
||||
'Site Recovery Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')
|
||||
'Site Recovery Operator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')
|
||||
'SQL Managed Instance Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')
|
||||
'SQL Security Manager': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')
|
||||
'Storage Account Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')
|
||||
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
|
||||
'Virtual Machine Administrator Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')
|
||||
'Virtual Machine Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')
|
||||
'Virtual Machine User Login': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')
|
||||
}
|
||||
|
||||
resource AzureADDS 'Microsoft.AAD/DomainServices@2021-05-01' existing = {
|
||||
name: last(split(resourceId, '/'))
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
|
||||
name: guid(AzureADDS.id, principalId, roleDefinitionIdOrName)
|
||||
properties: {
|
||||
description: description
|
||||
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
|
||||
principalId: principalId
|
||||
principalType: !empty(principalType) ? any(principalType) : null
|
||||
condition: !empty(condition) ? condition : null
|
||||
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
|
||||
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
|
||||
}
|
||||
scope: AzureADDS
|
||||
}]
|
|
@ -1,56 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"domainName": {
|
||||
"value": "<<namePrefix>>.onmicrosoft.com"
|
||||
},
|
||||
"sku": {
|
||||
"value": "Standard"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"replicaSets": {
|
||||
"value": [
|
||||
{
|
||||
"location": "WestEurope",
|
||||
"subnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet"
|
||||
}
|
||||
]
|
||||
},
|
||||
"pfxCertificate": {
|
||||
"reference": {
|
||||
"keyVault": {
|
||||
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
},
|
||||
"secretName": "pfxBase64Certificate"
|
||||
}
|
||||
},
|
||||
"pfxCertificatePassword": {
|
||||
"reference": {
|
||||
"keyVault": {
|
||||
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
},
|
||||
"secretName": "pfxCertificatePassword"
|
||||
}
|
||||
},
|
||||
"additionalRecipients": {
|
||||
"value": [
|
||||
"<<namePrefix>>@noreply.github.com"
|
||||
]
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,268 +0,0 @@
|
|||
@description('Optional. The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service.')
|
||||
param name string = domainName
|
||||
|
||||
@description('Required. The domain name specific to the Azure ADDS service.')
|
||||
param domainName string
|
||||
|
||||
@description('Optional. The name of the SKU specific to Azure ADDS Services.')
|
||||
@allowed([
|
||||
'Standard'
|
||||
'Enterprise'
|
||||
'Premium'
|
||||
])
|
||||
param sku string = 'Standard'
|
||||
|
||||
@description('Optional. The location to deploy the Azure ADDS Services.')
|
||||
param location string = resourceGroup().location
|
||||
|
||||
@description('Optional. Additional replica set for the managed domain.')
|
||||
param replicaSets array = []
|
||||
|
||||
@description('Conditional. The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days.')
|
||||
param pfxCertificate string = ''
|
||||
|
||||
@description('Conditional. The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled.')
|
||||
@secure()
|
||||
param pfxCertificatePassword string = ''
|
||||
|
||||
@description('Optional. The email recipient value to receive alerts.')
|
||||
param additionalRecipients array = []
|
||||
|
||||
@description('Optional. The value is to provide domain configuration type.')
|
||||
@allowed([
|
||||
'FullySynced'
|
||||
'ResourceTrusting'
|
||||
])
|
||||
param domainConfigurationType string = 'FullySynced'
|
||||
|
||||
@description('Optional. The value is to synchronize scoped users and groups.')
|
||||
param filteredSync string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable clients making request using TLSv1.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param tlsV1 string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable clients making request using NTLM v1.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param ntlmV1 string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable synchronized users to use NTLM authentication.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param syncNtlmPasswords string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable on-premises users to authenticate against managed domain.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param syncOnPremPasswords string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable Kerberos requests that use RC4 encryption.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param kerberosRc4Encryption string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable to provide a protected channel between the Kerberos client and the KDC.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param kerberosArmoring string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to notify the DC Admins.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param notifyDcAdmins string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to notify the Global Admins.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param notifyGlobalAdmins string = 'Enabled'
|
||||
|
||||
@description('Optional. The value is to enable the Secure LDAP for external services of Azure ADDS Services.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param externalAccess string = 'Enabled'
|
||||
|
||||
@description('Optional. A flag to determine whether or not Secure LDAP is enabled or disabled.')
|
||||
@allowed([
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param ldaps string = 'Enabled'
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic storage account.')
|
||||
param diagnosticStorageAccountId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
|
||||
param diagnosticWorkspaceId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
|
||||
param diagnosticEventHubAuthorizationRuleId string = ''
|
||||
|
||||
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
|
||||
param diagnosticEventHubName string = ''
|
||||
|
||||
@description('Optional. Tags of the resource.')
|
||||
param tags object = {}
|
||||
|
||||
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
|
||||
@minValue(0)
|
||||
@maxValue(365)
|
||||
param diagnosticLogsRetentionInDays int = 365
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@allowed([
|
||||
''
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Optional. Specify the type of lock.')
|
||||
param lock string = ''
|
||||
|
||||
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
|
||||
param roleAssignments array = []
|
||||
|
||||
@description('Optional. The name of logs that will be streamed.')
|
||||
@allowed([
|
||||
'SystemSecurity'
|
||||
'AccountManagement'
|
||||
'LogonLogoff'
|
||||
'ObjectAccess'
|
||||
'PolicyChange'
|
||||
'PrivilegeUse'
|
||||
'DetailTracking'
|
||||
'DirectoryServiceAccess'
|
||||
'AccountLogon'
|
||||
])
|
||||
param logsToEnable array = [
|
||||
'SystemSecurity'
|
||||
'AccountManagement'
|
||||
'LogonLogoff'
|
||||
'ObjectAccess'
|
||||
'PolicyChange'
|
||||
'PrivilegeUse'
|
||||
'DetailTracking'
|
||||
'DirectoryServiceAccess'
|
||||
'AccountLogon'
|
||||
]
|
||||
|
||||
var diagnosticsLogs = [for log in logsToEnable: {
|
||||
category: log
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource domainService 'Microsoft.AAD/DomainServices@2021-05-01' = {
|
||||
name: name
|
||||
location: location
|
||||
tags: tags
|
||||
properties: {
|
||||
domainName: domainName
|
||||
domainConfigurationType: domainConfigurationType
|
||||
filteredSync: filteredSync
|
||||
notificationSettings: {
|
||||
additionalRecipients: additionalRecipients
|
||||
notifyDcAdmins: notifyDcAdmins
|
||||
notifyGlobalAdmins: notifyGlobalAdmins
|
||||
}
|
||||
ldapsSettings: {
|
||||
externalAccess: externalAccess
|
||||
ldaps: ldaps
|
||||
pfxCertificate: !empty(pfxCertificate) ? pfxCertificate : null
|
||||
pfxCertificatePassword: !empty(pfxCertificatePassword) ? pfxCertificatePassword : null
|
||||
}
|
||||
replicaSets: replicaSets
|
||||
domainSecuritySettings: {
|
||||
tlsV1: tlsV1
|
||||
ntlmV1: ntlmV1
|
||||
syncNtlmPasswords: syncNtlmPasswords
|
||||
syncOnPremPasswords: syncOnPremPasswords
|
||||
kerberosRc4Encryption: kerberosRc4Encryption
|
||||
kerberosArmoring: kerberosArmoring
|
||||
}
|
||||
sku: sku
|
||||
}
|
||||
}
|
||||
|
||||
resource domainService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
|
||||
name: '${domainService.name}-diagnosticSettings'
|
||||
properties: {
|
||||
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
|
||||
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
|
||||
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
|
||||
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
|
||||
logs: diagnosticsLogs
|
||||
}
|
||||
scope: domainService
|
||||
}
|
||||
|
||||
resource domainService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
|
||||
name: '${domainService.name}-${lock}-lock'
|
||||
properties: {
|
||||
level: any(lock)
|
||||
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
}
|
||||
scope: domainService
|
||||
}
|
||||
|
||||
module domainService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
|
||||
name: '${uniqueString(deployment().name, location)}-VNet-Rbac-${index}'
|
||||
params: {
|
||||
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
|
||||
principalIds: roleAssignment.principalIds
|
||||
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
|
||||
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
|
||||
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
|
||||
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
|
||||
resourceId: domainService.id
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The domain name of the Azure Active Directory Domain Services(Azure ADDS).')
|
||||
output name string = domainService.name
|
||||
|
||||
@description('The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@description('The resource ID of the Azure Active Directory Domain Services(Azure ADDS).')
|
||||
output resourceId string = domainService.id
|
||||
|
||||
@description('The location the resource was deployed into.')
|
||||
output location string = domainService.location
|
|
@ -1,328 +0,0 @@
|
|||
# Azure Active Directory Domain Services `[Microsoft.AAD/DomainServices]`
|
||||
|
||||
This template deploys Azure Active Directory Domain Services (AADDS).
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Considerations](#Considerations)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.AAD/domainServices` | [2021-05-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AAD/2021-05-01/domainServices) |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `domainName` | string | The domain name specific to the Azure ADDS service. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `pfxCertificate` | string | `''` | The certificate required to configure Secure LDAP. Should be a base64encoded representation of the certificate PFX file. Required if secure LDAP is enabled and must be valid more than 30 days. |
|
||||
| `pfxCertificatePassword` | secureString | `''` | The password to decrypt the provided Secure LDAP certificate PFX file. Required if secure LDAP is enabled. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `additionalRecipients` | array | `[]` | | The email recipient value to receive alerts. |
|
||||
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
|
||||
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
|
||||
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
|
||||
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
|
||||
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
|
||||
| `domainConfigurationType` | string | `'FullySynced'` | `[FullySynced, ResourceTrusting]` | The value is to provide domain configuration type. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `externalAccess` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable the Secure LDAP for external services of Azure ADDS Services. |
|
||||
| `filteredSync` | string | `'Enabled'` | | The value is to synchronize scoped users and groups. |
|
||||
| `kerberosArmoring` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable to provide a protected channel between the Kerberos client and the KDC. |
|
||||
| `kerberosRc4Encryption` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable Kerberos requests that use RC4 encryption. |
|
||||
| `ldaps` | string | `'Enabled'` | `[Disabled, Enabled]` | A flag to determine whether or not Secure LDAP is enabled or disabled. |
|
||||
| `location` | string | `[resourceGroup().location]` | | The location to deploy the Azure ADDS Services. |
|
||||
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
|
||||
| `logsToEnable` | array | `[AccountLogon, AccountManagement, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` | `[AccountLogon, AccountManagement, DetailTracking, DirectoryServiceAccess, LogonLogoff, ObjectAccess, PolicyChange, PrivilegeUse, SystemSecurity]` | The name of logs that will be streamed. |
|
||||
| `name` | string | `[parameters('domainName')]` | | The name of the AADDS resource. Defaults to the domain name specific to the Azure ADDS service. |
|
||||
| `notifyDcAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the DC Admins. |
|
||||
| `notifyGlobalAdmins` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to notify the Global Admins. |
|
||||
| `ntlmV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using NTLM v1. |
|
||||
| `replicaSets` | array | `[]` | | Additional replica set for the managed domain. |
|
||||
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
|
||||
| `sku` | string | `'Standard'` | `[Enterprise, Premium, Standard]` | The name of the SKU specific to Azure ADDS Services. |
|
||||
| `syncNtlmPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable synchronized users to use NTLM authentication. |
|
||||
| `syncOnPremPasswords` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable on-premises users to authenticate against managed domain. |
|
||||
| `tags` | object | `{object}` | | Tags of the resource. |
|
||||
| `tlsV1` | string | `'Enabled'` | `[Disabled, Enabled]` | The value is to enable clients making request using TLSv1. |
|
||||
|
||||
|
||||
### Parameter Usage: `roleAssignments`
|
||||
|
||||
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"description": "Reader Role Assignment",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012", // object 1
|
||||
"78945612-1234-1234-1234-123456789012" // object 2
|
||||
]
|
||||
},
|
||||
{
|
||||
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012" // object 1
|
||||
],
|
||||
"principalType": "ServicePrincipal"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
roleAssignments: [
|
||||
{
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
description: 'Reader Role Assignment'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
'78945612-1234-1234-1234-123456789012' // object 2
|
||||
]
|
||||
}
|
||||
{
|
||||
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
]
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `tags`
|
||||
|
||||
Tag names and tag values can be provided as needed. A tag can be left without a value.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tags": {
|
||||
"value": {
|
||||
"Environment": "Non-Prod",
|
||||
"Contact": "test.user@testcompany.com",
|
||||
"PurchaseOrder": "1234",
|
||||
"CostCenter": "7890",
|
||||
"ServiceName": "DeploymentValidation",
|
||||
"Role": "DeploymentValidation"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tags: {
|
||||
Environment: 'Non-Prod'
|
||||
Contact: 'test.user@testcompany.com'
|
||||
PurchaseOrder: '1234'
|
||||
CostCenter: '7890'
|
||||
ServiceName: 'DeploymentValidation'
|
||||
Role: 'DeploymentValidation'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Considerations
|
||||
|
||||
- A network security group has to be created and assigned to the designated AADDS subnet before deploying this module
|
||||
- The following inbound rules should be allowed on the network security group
|
||||
| Name | Protocol | Source Port Range | Source Address Prefix | Destination Port Range | Destination Address Prefix |
|
||||
| - | - | - | - | - | - |
|
||||
| AllowSyncWithAzureAD | TCP | `*` | `AzureActiveDirectoryDomainServices` | `443` | `*` |
|
||||
| AllowPSRemoting | TCP | `*` | `AzureActiveDirectoryDomainServices` | `5986` | `*` |
|
||||
- Associating a route table to the AADDS subnet is not recommended
|
||||
- The network used for AADDS must have its DNS Servers [configured](https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-networking#configure-dns-servers-in-the-peered-virtual-network) (e.g. with IPs `10.0.1.4` & `10.0.1.5`)
|
||||
- Your Azure Active Directory must have the 'Domain Controller Services' service principal registered. If that's not the case, you can register it by executing the command `New-AzADServicePrincipal -ApplicationId '2565bd9d-da50-47d4-8b85-4c97f669dc36'` with an eligible user.
|
||||
|
||||
### Create self-signed certificate for secure LDAP
|
||||
Follow the below PowerShell commands to get base64 encoded string of a self-signed certificate (with a `pfxCertificatePassword`)
|
||||
|
||||
```PowerShell
|
||||
$pfxCertificatePassword = ConvertTo-SecureString '<<YourPfxCertificatePassword>>' -AsPlainText -Force
|
||||
$certInputObject = @{
|
||||
Subject = 'CN=*.<<YourDomainName>>'
|
||||
DnsName = '*.<<YourDomainName>>'
|
||||
CertStoreLocation = 'cert:\LocalMachine\My'
|
||||
KeyExportPolicy = 'Exportable'
|
||||
Provider = 'Microsoft Enhanced RSA and AES Cryptographic Provider'
|
||||
NotAfter = (Get-Date).AddMonths(3)
|
||||
HashAlgorithm = 'SHA256'
|
||||
}
|
||||
$rawCert = New-SelfSignedCertificate @certInputObject
|
||||
Export-PfxCertificate -Cert ('Cert:\localmachine\my\' + $rawCert.Thumbprint) -FilePath "$home/aadds.pfx" -Password $pfxCertificatePassword -Force
|
||||
$rawCertByteStream = Get-Content "$home/aadds.pfx" -AsByteStream
|
||||
$pfxCertificate = [System.Convert]::ToBase64String($rawCertByteStream)
|
||||
```
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | The domain name of the Azure Active Directory Domain Services(Azure ADDS). |
|
||||
| `resourceGroupName` | string | The name of the resource group the Azure Active Directory Domain Services(Azure ADDS) was created in. |
|
||||
| `resourceId` | string | The resource ID of the Azure Active Directory Domain Services(Azure ADDS). |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Parameters</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
resource kv1 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
|
||||
name: 'adp-<<namePrefix>>-az-kv-x-001'
|
||||
scope: resourceGroup('<<subscriptionId>>','validation-rg')
|
||||
}
|
||||
|
||||
module DomainServices './Microsoft.AAD/DomainServices/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-DomainServices'
|
||||
params: {
|
||||
// Required parameters
|
||||
domainName: '<<namePrefix>>.onmicrosoft.com'
|
||||
// Non-required parameters
|
||||
additionalRecipients: [
|
||||
'<<namePrefix>>@noreply.github.com'
|
||||
]
|
||||
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
|
||||
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
|
||||
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
|
||||
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
|
||||
lock: 'CanNotDelete'
|
||||
pfxCertificate: kv1.getSecret('pfxBase64Certificate')
|
||||
pfxCertificatePassword: kv1.getSecret('pfxCertificatePassword')
|
||||
replicaSets: [
|
||||
{
|
||||
location: 'WestEurope'
|
||||
subnetId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet'
|
||||
}
|
||||
]
|
||||
sku: 'Standard'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"domainName": {
|
||||
"value": "<<namePrefix>>.onmicrosoft.com"
|
||||
},
|
||||
// Non-required parameters
|
||||
"additionalRecipients": {
|
||||
"value": [
|
||||
"<<namePrefix>>@noreply.github.com"
|
||||
]
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"pfxCertificate": {
|
||||
"reference": {
|
||||
"keyVault": {
|
||||
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
},
|
||||
"secretName": "pfxBase64Certificate"
|
||||
}
|
||||
},
|
||||
"pfxCertificatePassword": {
|
||||
"reference": {
|
||||
"keyVault": {
|
||||
"id": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
},
|
||||
"secretName": "pfxCertificatePassword"
|
||||
}
|
||||
},
|
||||
"replicaSets": {
|
||||
"value": [
|
||||
{
|
||||
"location": "WestEurope",
|
||||
"subnetId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-aadds-001/subnets/AADDSSubnet"
|
||||
}
|
||||
]
|
||||
},
|
||||
"sku": {
|
||||
"value": "Standard"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
@sys.description('Required. The IDs of the principals to assign the role to.')
|
||||
param principalIds array
|
||||
|
||||
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
|
||||
param roleDefinitionIdOrName string
|
||||
|
||||
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
|
||||
param resourceId string
|
||||
|
||||
@sys.description('Optional. The principal type of the assigned principal ID.')
|
||||
@allowed([
|
||||
'ServicePrincipal'
|
||||
'Group'
|
||||
'User'
|
||||
'ForeignGroup'
|
||||
'Device'
|
||||
''
|
||||
])
|
||||
param principalType string = ''
|
||||
|
||||
@sys.description('Optional. The description of the role assignment.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
|
||||
param condition string = ''
|
||||
|
||||
@sys.description('Optional. Version of the condition.')
|
||||
@allowed([
|
||||
'2.0'
|
||||
])
|
||||
param conditionVersion string = '2.0'
|
||||
|
||||
@sys.description('Optional. Id of the delegated managed identity resource.')
|
||||
param delegatedManagedIdentityResourceId string = ''
|
||||
|
||||
var builtInRoleNames = {
|
||||
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
|
||||
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
|
||||
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
|
||||
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
|
||||
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
|
||||
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
|
||||
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
|
||||
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
|
||||
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
|
||||
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
|
||||
}
|
||||
|
||||
resource server 'Microsoft.AnalysisServices/servers@2017-08-01' existing = {
|
||||
name: last(split(resourceId, '/'))
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
|
||||
name: guid(server.id, principalId, roleDefinitionIdOrName)
|
||||
properties: {
|
||||
description: description
|
||||
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
|
||||
principalId: principalId
|
||||
principalType: !empty(principalType) ? any(principalType) : null
|
||||
condition: !empty(condition) ? condition : null
|
||||
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
|
||||
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
|
||||
}
|
||||
scope: server
|
||||
}]
|
|
@ -1,66 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweumax001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"skuName": {
|
||||
"value": "S0"
|
||||
},
|
||||
"skuCapacity": {
|
||||
"value": 1
|
||||
},
|
||||
"firewallSettings": {
|
||||
"value": {
|
||||
"firewallRules": [
|
||||
{
|
||||
"firewallRuleName": "AllowFromAll",
|
||||
"rangeStart": "0.0.0.0",
|
||||
"rangeEnd": "255.255.255.255"
|
||||
}
|
||||
],
|
||||
"enablePowerBIService": true
|
||||
}
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 365
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"diagnosticLogCategoriesToEnable": {
|
||||
"value": [
|
||||
"Engine",
|
||||
"Service"
|
||||
]
|
||||
},
|
||||
"diagnosticMetricsToEnable": {
|
||||
"value": [
|
||||
"AllMetrics"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweumin001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,40 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweux001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"skuName": {
|
||||
"value": "S0"
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,169 +0,0 @@
|
|||
@description('Required. The name of the Azure Analysis Services server to create.')
|
||||
param name string
|
||||
|
||||
@description('Optional. The SKU name of the Azure Analysis Services server to create.')
|
||||
param skuName string = 'S0'
|
||||
|
||||
@description('Optional. The total number of query replica scale-out instances.')
|
||||
param skuCapacity int = 1
|
||||
|
||||
@description('Optional. The inbound firewall rules to define on the server. If not specified, firewall is disabled.')
|
||||
param firewallSettings object = {
|
||||
firewallRules: [
|
||||
{
|
||||
firewallRuleName: 'AllowFromAll'
|
||||
rangeStart: '0.0.0.0'
|
||||
rangeEnd: '255.255.255.255'
|
||||
}
|
||||
]
|
||||
enablePowerBIService: true
|
||||
}
|
||||
|
||||
@description('Optional. Location for all Resources.')
|
||||
param location string = resourceGroup().location
|
||||
|
||||
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
|
||||
@minValue(0)
|
||||
@maxValue(365)
|
||||
param diagnosticLogsRetentionInDays int = 365
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic storage account.')
|
||||
param diagnosticStorageAccountId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
|
||||
param diagnosticWorkspaceId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
|
||||
param diagnosticEventHubAuthorizationRuleId string = ''
|
||||
|
||||
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
|
||||
param diagnosticEventHubName string = ''
|
||||
|
||||
@allowed([
|
||||
''
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Optional. Specify the type of lock.')
|
||||
param lock string = ''
|
||||
|
||||
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
|
||||
param roleAssignments array = []
|
||||
|
||||
@description('Optional. Tags of the resource.')
|
||||
param tags object = {}
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. The name of logs that will be streamed.')
|
||||
@allowed([
|
||||
'Engine'
|
||||
'Service'
|
||||
])
|
||||
param diagnosticLogCategoriesToEnable array = [
|
||||
'Engine'
|
||||
'Service'
|
||||
]
|
||||
|
||||
@description('Optional. The name of metrics that will be streamed.')
|
||||
@allowed([
|
||||
'AllMetrics'
|
||||
])
|
||||
param diagnosticMetricsToEnable array = [
|
||||
'AllMetrics'
|
||||
]
|
||||
|
||||
@description('Optional. The name of the diagnostic setting, if deployed.')
|
||||
param diagnosticSettingsName string = '${name}-diagnosticSettings'
|
||||
|
||||
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
|
||||
category: category
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
|
||||
category: metric
|
||||
timeGrain: null
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource server 'Microsoft.AnalysisServices/servers@2017-08-01' = {
|
||||
name: name
|
||||
location: location
|
||||
tags: tags
|
||||
sku: {
|
||||
name: skuName
|
||||
capacity: skuCapacity
|
||||
}
|
||||
properties: {
|
||||
ipV4FirewallSettings: firewallSettings
|
||||
}
|
||||
}
|
||||
|
||||
resource server_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
|
||||
name: '${server.name}-${lock}-lock'
|
||||
properties: {
|
||||
level: any(lock)
|
||||
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
}
|
||||
scope: server
|
||||
}
|
||||
|
||||
resource server_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
|
||||
name: diagnosticSettingsName
|
||||
properties: {
|
||||
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
|
||||
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
|
||||
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
|
||||
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
|
||||
metrics: diagnosticsMetrics
|
||||
logs: diagnosticsLogs
|
||||
}
|
||||
scope: server
|
||||
}
|
||||
|
||||
module server_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
|
||||
name: '${uniqueString(deployment().name, location)}-AnServicesServer-Rbac-${index}'
|
||||
params: {
|
||||
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
|
||||
principalIds: roleAssignment.principalIds
|
||||
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
|
||||
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
|
||||
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
|
||||
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
|
||||
resourceId: server.id
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The name of the analysis service.')
|
||||
output name string = server.name
|
||||
|
||||
@description('The resource ID of the analysis service.')
|
||||
output resourceId string = server.id
|
||||
|
||||
@description('The resource group the analysis service was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@description('The location the resource was deployed into.')
|
||||
output location string = server.location
|
|
@ -1,423 +0,0 @@
|
|||
# Analysis Services Servers `[Microsoft.AnalysisServices/servers]`
|
||||
|
||||
This module deploys an Analysis Services Server.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.AnalysisServices/servers` | [2017-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AnalysisServices/2017-08-01/servers) |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the Azure Analysis Services server to create. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
|
||||
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
|
||||
| `diagnosticLogCategoriesToEnable` | array | `[Engine, Service]` | `[Engine, Service]` | The name of logs that will be streamed. |
|
||||
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
|
||||
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
|
||||
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
|
||||
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
|
||||
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `firewallSettings` | object | `{object}` | | The inbound firewall rules to define on the server. If not specified, firewall is disabled. |
|
||||
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
|
||||
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
|
||||
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
|
||||
| `skuCapacity` | int | `1` | | The total number of query replica scale-out instances. |
|
||||
| `skuName` | string | `'S0'` | | The SKU name of the Azure Analysis Services server to create. |
|
||||
| `tags` | object | `{object}` | | Tags of the resource. |
|
||||
|
||||
|
||||
### Parameter Usage: `tags`
|
||||
|
||||
Tag names and tag values can be provided as needed. A tag can be left without a value.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tags": {
|
||||
"value": {
|
||||
"Environment": "Non-Prod",
|
||||
"Contact": "test.user@testcompany.com",
|
||||
"PurchaseOrder": "1234",
|
||||
"CostCenter": "7890",
|
||||
"ServiceName": "DeploymentValidation",
|
||||
"Role": "DeploymentValidation"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tags: {
|
||||
Environment: 'Non-Prod'
|
||||
Contact: 'test.user@testcompany.com'
|
||||
PurchaseOrder: '1234'
|
||||
CostCenter: '7890'
|
||||
ServiceName: 'DeploymentValidation'
|
||||
Role: 'DeploymentValidation'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `roleAssignments`
|
||||
|
||||
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"description": "Reader Role Assignment",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012", // object 1
|
||||
"78945612-1234-1234-1234-123456789012" // object 2
|
||||
]
|
||||
},
|
||||
{
|
||||
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012" // object 1
|
||||
],
|
||||
"principalType": "ServicePrincipal"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
roleAssignments: [
|
||||
{
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
description: 'Reader Role Assignment'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
'78945612-1234-1234-1234-123456789012' // object 2
|
||||
]
|
||||
}
|
||||
{
|
||||
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
]
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | The name of the analysis service. |
|
||||
| `resourceGroupName` | string | The resource group the analysis service was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the analysis service. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Max</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Servers'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>azasweumax001'
|
||||
// Non-required parameters
|
||||
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
|
||||
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
|
||||
diagnosticLogCategoriesToEnable: [
|
||||
'Engine'
|
||||
'Service'
|
||||
]
|
||||
diagnosticLogsRetentionInDays: 365
|
||||
diagnosticMetricsToEnable: [
|
||||
'AllMetrics'
|
||||
]
|
||||
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
|
||||
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
|
||||
firewallSettings: {
|
||||
enablePowerBIService: true
|
||||
firewallRules: [
|
||||
{
|
||||
firewallRuleName: 'AllowFromAll'
|
||||
rangeEnd: '255.255.255.255'
|
||||
rangeStart: '0.0.0.0'
|
||||
}
|
||||
]
|
||||
}
|
||||
lock: 'CanNotDelete'
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
skuCapacity: 1
|
||||
skuName: 'S0'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweumax001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"diagnosticLogCategoriesToEnable": {
|
||||
"value": [
|
||||
"Engine",
|
||||
"Service"
|
||||
]
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 365
|
||||
},
|
||||
"diagnosticMetricsToEnable": {
|
||||
"value": [
|
||||
"AllMetrics"
|
||||
]
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"firewallSettings": {
|
||||
"value": {
|
||||
"enablePowerBIService": true,
|
||||
"firewallRules": [
|
||||
{
|
||||
"firewallRuleName": "AllowFromAll",
|
||||
"rangeEnd": "255.255.255.255",
|
||||
"rangeStart": "0.0.0.0"
|
||||
}
|
||||
]
|
||||
}
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
]
|
||||
},
|
||||
"skuCapacity": {
|
||||
"value": 1
|
||||
},
|
||||
"skuName": {
|
||||
"value": "S0"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 2: Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Servers'
|
||||
params: {
|
||||
name: '<<namePrefix>>azasweumin001'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweumin001"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 3: Parameters</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module servers './Microsoft.AnalysisServices/servers/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Servers'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>azasweux001'
|
||||
// Non-required parameters
|
||||
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
|
||||
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
|
||||
diagnosticLogsRetentionInDays: 7
|
||||
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
|
||||
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
|
||||
lock: 'CanNotDelete'
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
skuName: 'S0'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>azasweux001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
]
|
||||
},
|
||||
"skuName": {
|
||||
"value": "S0"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,117 +0,0 @@
|
|||
@description('Required. Identifier of the authorization server.')
|
||||
param name string
|
||||
|
||||
@description('Required. The name of the API Management service.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Required. OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>.')
|
||||
param authorizationEndpoint string
|
||||
|
||||
@description('Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE')
|
||||
param authorizationMethods array = [
|
||||
'GET'
|
||||
]
|
||||
|
||||
@description('Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query')
|
||||
param bearerTokenSendingMethods array = [
|
||||
'authorizationHeader'
|
||||
]
|
||||
|
||||
@description('Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body')
|
||||
param clientAuthenticationMethod array = [
|
||||
'Basic'
|
||||
]
|
||||
|
||||
@description('Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.')
|
||||
param clientRegistrationEndpoint string = ''
|
||||
|
||||
@description('Required. Name of the key vault that stores clientId and clientSecret for this authorization server.')
|
||||
param clientCredentialsKeyVaultId string
|
||||
|
||||
@description('Required. Name of the secret that stores the Client or app ID registered with this authorization server.')
|
||||
param clientIdSecretName string
|
||||
|
||||
@description('Required. Name of the secret that stores the Client or app secret registered with this authorization server. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
|
||||
param clientSecretSecretName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.')
|
||||
param defaultScope string = ''
|
||||
|
||||
@description('Optional. Description of the authorization server. Can contain HTML formatting tags.')
|
||||
param serverDescription string = ''
|
||||
|
||||
@description('Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials')
|
||||
param grantTypes array
|
||||
|
||||
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.')
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param resourceOwnerPassword string = ''
|
||||
|
||||
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.')
|
||||
param resourceOwnerUsername string = ''
|
||||
|
||||
@description('Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.')
|
||||
param supportState bool = false
|
||||
|
||||
@description('Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object')
|
||||
param tokenBodyParameters array = []
|
||||
|
||||
@description('Optional. OAuth token endpoint. Contains absolute URI to entity being referenced.')
|
||||
param tokenEndpoint string = ''
|
||||
|
||||
var defaultAuthorizationMethods = [
|
||||
'GET'
|
||||
]
|
||||
var setAuthorizationMethods = union(authorizationMethods, defaultAuthorizationMethods)
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource keyVault 'Microsoft.KeyVault/vaults@2019-09-01' existing = {
|
||||
name: last(split(clientCredentialsKeyVaultId, '/'))
|
||||
scope: resourceGroup(split(clientCredentialsKeyVaultId, '/')[2], split(clientCredentialsKeyVaultId, '/')[4])
|
||||
}
|
||||
|
||||
module authorizationServer '../authorizationServers/deploy.bicep' = {
|
||||
name: '${deployment().name}-AuthorizationServer'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementServiceName
|
||||
serverDescription: serverDescription
|
||||
authorizationMethods: setAuthorizationMethods
|
||||
clientAuthenticationMethod: clientAuthenticationMethod
|
||||
tokenBodyParameters: tokenBodyParameters
|
||||
tokenEndpoint: tokenEndpoint
|
||||
supportState: supportState
|
||||
defaultScope: defaultScope
|
||||
bearerTokenSendingMethods: bearerTokenSendingMethods
|
||||
resourceOwnerUsername: resourceOwnerUsername
|
||||
resourceOwnerPassword: resourceOwnerPassword
|
||||
name: name
|
||||
clientRegistrationEndpoint: clientRegistrationEndpoint
|
||||
authorizationEndpoint: authorizationEndpoint
|
||||
grantTypes: grantTypes
|
||||
clientId: keyVault.getSecret(clientIdSecretName)
|
||||
clientSecret: keyVault.getSecret(clientSecretSecretName)
|
||||
}
|
||||
}
|
||||
|
||||
@description('The name of the API management service authorization server')
|
||||
output name string = authorizationServer.outputs.name
|
||||
|
||||
@description('The resource ID of the API management service authorization server')
|
||||
output resourceId string = authorizationServer.outputs.resourceId
|
||||
|
||||
@description('The resource group the API management service authorization server was deployed into')
|
||||
output resourceGroupName string = authorizationServer.outputs.resourceGroupName
|
|
@ -1,71 +0,0 @@
|
|||
@sys.description('Required. The IDs of the principals to assign the role to.')
|
||||
param principalIds array
|
||||
|
||||
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
|
||||
param roleDefinitionIdOrName string
|
||||
|
||||
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
|
||||
param resourceId string
|
||||
|
||||
@sys.description('Optional. The principal type of the assigned principal ID.')
|
||||
@allowed([
|
||||
'ServicePrincipal'
|
||||
'Group'
|
||||
'User'
|
||||
'ForeignGroup'
|
||||
'Device'
|
||||
''
|
||||
])
|
||||
param principalType string = ''
|
||||
|
||||
@sys.description('Optional. The description of the role assignment.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
|
||||
param condition string = ''
|
||||
|
||||
@sys.description('Optional. Version of the condition.')
|
||||
@allowed([
|
||||
'2.0'
|
||||
])
|
||||
param conditionVersion string = '2.0'
|
||||
|
||||
@sys.description('Optional. Id of the delegated managed identity resource.')
|
||||
param delegatedManagedIdentityResourceId string = ''
|
||||
|
||||
var builtInRoleNames = {
|
||||
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
|
||||
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
'API Management Service Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '312a565d-c81f-4fd8-895a-4e21e48d571c')
|
||||
'API Management Service Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e022efe7-f5ba-4159-bbe4-b44f577e9b61')
|
||||
'API Management Service Reader Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '71522526-b88f-4d52-b57f-d31fc3546d0d')
|
||||
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
|
||||
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
|
||||
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
|
||||
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
|
||||
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
|
||||
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
|
||||
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
|
||||
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
|
||||
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2020-12-01' existing = {
|
||||
name: last(split(resourceId, '/'))
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
|
||||
name: guid(service.id, principalId, roleDefinitionIdOrName)
|
||||
properties: {
|
||||
description: description
|
||||
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
|
||||
principalId: principalId
|
||||
principalType: !empty(principalType) ? any(principalType) : null
|
||||
condition: !empty(condition) ? condition : null
|
||||
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
|
||||
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
|
||||
}
|
||||
scope: service
|
||||
}]
|
|
@ -1,177 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-max-001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
},
|
||||
"apis": {
|
||||
"value": [
|
||||
{
|
||||
"name": "echo-api",
|
||||
"displayName": "Echo API",
|
||||
"path": "echo",
|
||||
"serviceUrl": "http://echoapi.cloudapp.net/api",
|
||||
"apiVersionSet": {
|
||||
"name": "echo-version-set",
|
||||
"properties": {
|
||||
"description": "echo-version-set",
|
||||
"displayName": "echo-version-set",
|
||||
"versioningScheme": "Segment"
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"authorizationServers": {
|
||||
"value": [
|
||||
{
|
||||
"name": "AuthServer1",
|
||||
"authorizationEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize",
|
||||
"grantTypes": [
|
||||
"authorizationCode"
|
||||
],
|
||||
"clientCredentialsKeyVaultId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
|
||||
"clientIdSecretName": "apimclientid",
|
||||
"clientSecretSecretName": "apimclientsecret",
|
||||
"clientRegistrationEndpoint": "http://localhost",
|
||||
"tokenEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token"
|
||||
}
|
||||
]
|
||||
},
|
||||
"backends": {
|
||||
"value": [
|
||||
{
|
||||
"name": "backend",
|
||||
"url": "http://echoapi.cloudapp.net/api",
|
||||
"tls": {
|
||||
"validateCertificateChain": false,
|
||||
"validateCertificateName": false
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"caches": {
|
||||
"value": [
|
||||
{
|
||||
"name": "westeurope",
|
||||
"connectionString": "connectionstringtest",
|
||||
"useFromLocation": "westeurope"
|
||||
}
|
||||
]
|
||||
},
|
||||
"identityProviders": {
|
||||
"value": [
|
||||
{
|
||||
"name": "aadProvider"
|
||||
}
|
||||
]
|
||||
},
|
||||
"namedValues": {
|
||||
"value": [
|
||||
{
|
||||
"name": "apimkey",
|
||||
"displayName": "apimkey",
|
||||
"secret": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"policies": {
|
||||
"value": [
|
||||
{
|
||||
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
|
||||
"format": "xml"
|
||||
}
|
||||
]
|
||||
},
|
||||
"portalSettings": {
|
||||
"value": [
|
||||
{
|
||||
"name": "signin",
|
||||
"properties": {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "signup",
|
||||
"properties": {
|
||||
"enabled": false,
|
||||
"termsOfService": {
|
||||
"enabled": false,
|
||||
"consentRequired": false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"products": {
|
||||
"value": [
|
||||
{
|
||||
"name": "Starter",
|
||||
"subscriptionRequired": false,
|
||||
"approvalRequired": false,
|
||||
"apis": [
|
||||
{
|
||||
"name": "echo-api"
|
||||
}
|
||||
],
|
||||
"groups": [
|
||||
{
|
||||
"name": "developers"
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"subscriptions": {
|
||||
"value": [
|
||||
{
|
||||
"scope": "/apis",
|
||||
"name": "testArmSubscriptionAllApis"
|
||||
}
|
||||
]
|
||||
},
|
||||
"systemAssignedIdentity": {
|
||||
"value": true
|
||||
},
|
||||
"userAssignedIdentities": {
|
||||
"value": {
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
|
||||
}
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-min-001"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,56 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-x-001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
},
|
||||
"portalSettings": {
|
||||
"value": [
|
||||
{
|
||||
"name": "signin",
|
||||
"properties": {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "signup",
|
||||
"properties": {
|
||||
"enabled": false,
|
||||
"termsOfService": {
|
||||
"enabled": false,
|
||||
"consentRequired": false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"policies": {
|
||||
"value": [
|
||||
{
|
||||
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
|
||||
"format": "xml"
|
||||
}
|
||||
]
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,42 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. API Version set name.')
|
||||
param name string = 'default'
|
||||
|
||||
@description('Optional. API Version set properties.')
|
||||
param properties object = {}
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource apiVersionSet 'Microsoft.ApiManagement/service/apiVersionSets@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: properties
|
||||
}
|
||||
|
||||
@description('The resource ID of the API Version set.')
|
||||
output resourceId string = apiVersionSet.id
|
||||
|
||||
@description('The name of the API Version set.')
|
||||
output name string = apiVersionSet.name
|
||||
|
||||
@description('The resource group the API Version set was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,43 +0,0 @@
|
|||
# API Management Service API Version Sets `[Microsoft.ApiManagement/service/apiVersionSets]`
|
||||
|
||||
This module deploys API Management Service APIs Version Set.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `name` | string | `'default'` | API Version set name. |
|
||||
| `properties` | object | `{object}` | API Version set properties. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API Version set. |
|
||||
| `resourceGroupName` | string | The resource group the API Version set was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API Version set. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,160 +0,0 @@
|
|||
@description('Required. API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number.')
|
||||
param name string
|
||||
|
||||
@description('Optional. Array of Policies to apply to the Service API.')
|
||||
param policies array = []
|
||||
|
||||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Describes the Revision of the API. If no value is provided, default revision 1 is created.')
|
||||
param apiRevision string = ''
|
||||
|
||||
@description('Optional. Description of the API Revision.')
|
||||
param apiRevisionDescription string = ''
|
||||
|
||||
@description('Optional. Type of API to create. * http creates a SOAP to REST API * soap creates a SOAP pass-through API.')
|
||||
@allowed([
|
||||
'http'
|
||||
'soap'
|
||||
])
|
||||
param apiType string = 'http'
|
||||
|
||||
@description('Optional. Indicates the Version identifier of the API if the API is versioned.')
|
||||
param apiVersion string = ''
|
||||
|
||||
@description('Optional. Indicates the Version identifier of the API version set.')
|
||||
param apiVersionSetId string = ''
|
||||
|
||||
@description('Optional. Description of the API Version.')
|
||||
param apiVersionDescription string = ''
|
||||
|
||||
@description('Optional. Collection of authentication settings included into this API.')
|
||||
param authenticationSettings object = {}
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Description of the API. May include HTML formatting tags.')
|
||||
param apiDescription string = ''
|
||||
|
||||
@description('Required. API name. Must be 1 to 300 characters long.')
|
||||
@maxLength(300)
|
||||
param displayName string
|
||||
|
||||
@description('Optional. Format of the Content in which the API is getting imported.')
|
||||
@allowed([
|
||||
'wadl-xml'
|
||||
'wadl-link-json'
|
||||
'swagger-json'
|
||||
'swagger-link-json'
|
||||
'wsdl'
|
||||
'wsdl-link'
|
||||
'openapi'
|
||||
'openapi+json'
|
||||
'openapi-link'
|
||||
'openapi+json-link'
|
||||
])
|
||||
param format string = 'openapi'
|
||||
|
||||
@description('Optional. Indicates if API revision is current API revision.')
|
||||
param isCurrent bool = true
|
||||
|
||||
@description('Required. Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API.')
|
||||
param path string
|
||||
|
||||
@description('Optional. Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS.')
|
||||
param protocols array = [
|
||||
'https'
|
||||
]
|
||||
|
||||
@description('Optional. Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long.')
|
||||
@maxLength(2000)
|
||||
param serviceUrl string = ''
|
||||
|
||||
@description('Optional. API identifier of the source API.')
|
||||
param sourceApiId string = ''
|
||||
|
||||
@description('Optional. Protocols over which API is made available.')
|
||||
param subscriptionKeyParameterNames object = {}
|
||||
|
||||
@description('Optional. Specifies whether an API or Product subscription is required for accessing the API.')
|
||||
param subscriptionRequired bool = false
|
||||
|
||||
@description('Optional. Type of API.')
|
||||
@allowed([
|
||||
'http'
|
||||
'soap'
|
||||
])
|
||||
param type string = 'http'
|
||||
|
||||
@description('Optional. Content value when Importing an API.')
|
||||
param value string = ''
|
||||
|
||||
@description('Optional. Criteria to limit import of WSDL to a subset of the document.')
|
||||
param wsdlSelector object = {}
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource api 'Microsoft.ApiManagement/service/apis@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
apiRevision: !empty(apiRevision) ? apiRevision : null
|
||||
apiRevisionDescription: !empty(apiRevisionDescription) ? apiRevisionDescription : null
|
||||
apiType: !empty(apiType) ? apiType : null
|
||||
apiVersion: !empty(apiVersion) ? apiVersion : null
|
||||
apiVersionDescription: !empty(apiVersionDescription) ? apiVersionDescription : null
|
||||
apiVersionSetId: !empty(apiVersionSetId) ? apiVersionSetId : null
|
||||
authenticationSettings: authenticationSettings
|
||||
description: apiDescription
|
||||
displayName: displayName
|
||||
format: !empty(value) ? format : null
|
||||
isCurrent: isCurrent
|
||||
path: path
|
||||
protocols: protocols
|
||||
serviceUrl: !empty(serviceUrl) ? serviceUrl : null
|
||||
sourceApiId: !empty(sourceApiId) ? sourceApiId : null
|
||||
subscriptionKeyParameterNames: !empty(subscriptionKeyParameterNames) ? subscriptionKeyParameterNames : null
|
||||
subscriptionRequired: subscriptionRequired
|
||||
type: type
|
||||
value: !empty(value) ? value : null
|
||||
wsdlSelector: wsdlSelector
|
||||
}
|
||||
}
|
||||
|
||||
module policy 'policies/deploy.bicep' = [for (policy, index) in policies: {
|
||||
name: '${deployment().name}-Policy-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementServiceName
|
||||
apiName: api.name
|
||||
format: contains(policy, 'format') ? policy.format : 'xml'
|
||||
value: policy.value
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The name of the API management service API.')
|
||||
output name string = api.name
|
||||
|
||||
@description('The resource ID of the API management service API.')
|
||||
output resourceId string = api.id
|
||||
|
||||
@description('The resource group the API management service API was deployed to.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,61 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Conditional. The name of the parent API. Required if the template is used in a standalone deployment.')
|
||||
param apiName string
|
||||
|
||||
@description('Optional. The name of the policy.')
|
||||
param name string = 'policy'
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Format of the policyContent.')
|
||||
@allowed([
|
||||
'rawxml'
|
||||
'rawxml-link'
|
||||
'xml'
|
||||
'xml-link'
|
||||
])
|
||||
param format string = 'xml'
|
||||
|
||||
@description('Required. Contents of the Policy as defined by the format.')
|
||||
param value string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
|
||||
resource api 'apis@2021-08-01' existing = {
|
||||
name: apiName
|
||||
}
|
||||
}
|
||||
|
||||
resource policy 'Microsoft.ApiManagement/service/apis/policies@2021-08-01' = {
|
||||
name: name
|
||||
parent: service::api
|
||||
properties: {
|
||||
format: format
|
||||
value: value
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API policy.')
|
||||
output resourceId string = policy.id
|
||||
|
||||
@description('The name of the API policy.')
|
||||
output name string = policy.name
|
||||
|
||||
@description('The resource group the API policy was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,49 +0,0 @@
|
|||
# API Management Service APIs Policies `[Microsoft.ApiManagement/service/apis/policies]`
|
||||
|
||||
This module deploys API Management Service APIs policies.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `value` | string | Contents of the Policy as defined by the format. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
| `apiName` | string | The name of the parent API. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. |
|
||||
| `name` | string | `'policy'` | | The name of the policy. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API policy. |
|
||||
| `resourceGroupName` | string | The resource group the API policy was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API policy. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,68 +0,0 @@
|
|||
# API Management Service APIs `[Microsoft.ApiManagement/service/apis]`
|
||||
|
||||
This module deploys API Management Service APIs.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) |
|
||||
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `displayName` | string | API name. Must be 1 to 300 characters long. |
|
||||
| `name` | string | API revision identifier. Must be unique in the current API Management service instance. Non-current revision has ;rev=n as a suffix where n is the revision number. |
|
||||
| `path` | string | Relative URL uniquely identifying this API and all of its resource paths within the API Management service instance. It is appended to the API endpoint base URL specified during the service instance creation to form a public URL for this API. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `apiDescription` | string | `''` | | Description of the API. May include HTML formatting tags. |
|
||||
| `apiRevision` | string | `''` | | Describes the Revision of the API. If no value is provided, default revision 1 is created. |
|
||||
| `apiRevisionDescription` | string | `''` | | Description of the API Revision. |
|
||||
| `apiType` | string | `'http'` | `[http, soap]` | Type of API to create. * http creates a SOAP to REST API * soap creates a SOAP pass-through API. |
|
||||
| `apiVersion` | string | `''` | | Indicates the Version identifier of the API if the API is versioned. |
|
||||
| `apiVersionDescription` | string | `''` | | Description of the API Version. |
|
||||
| `apiVersionSetId` | string | `''` | | Indicates the Version identifier of the API version set. |
|
||||
| `authenticationSettings` | object | `{object}` | | Collection of authentication settings included into this API. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `format` | string | `'openapi'` | `[openapi, openapi-link, openapi+json, openapi+json-link, swagger-json, swagger-link-json, wadl-link-json, wadl-xml, wsdl, wsdl-link]` | Format of the Content in which the API is getting imported. |
|
||||
| `isCurrent` | bool | `True` | | Indicates if API revision is current API revision. |
|
||||
| `policies` | _[policies](policies/readme.md)_ array | `[]` | | Array of Policies to apply to the Service API. |
|
||||
| `protocols` | array | `[https]` | | Describes on which protocols the operations in this API can be invoked. - HTTP or HTTPS. |
|
||||
| `serviceUrl` | string | `''` | | Absolute URL of the backend service implementing this API. Cannot be more than 2000 characters long. |
|
||||
| `sourceApiId` | string | `''` | | API identifier of the source API. |
|
||||
| `subscriptionKeyParameterNames` | object | `{object}` | | Protocols over which API is made available. |
|
||||
| `subscriptionRequired` | bool | `False` | | Specifies whether an API or Product subscription is required for accessing the API. |
|
||||
| `type` | string | `'http'` | `[http, soap]` | Type of API. |
|
||||
| `value` | string | `''` | | Content value when Importing an API. |
|
||||
| `wsdlSelector` | object | `{object}` | | Criteria to limit import of WSDL to a subset of the document. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service API. |
|
||||
| `resourceGroupName` | string | The resource group the API management service API was deployed to. |
|
||||
| `resourceId` | string | The resource ID of the API management service API. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,115 +0,0 @@
|
|||
@description('Required. Identifier of the authorization server.')
|
||||
param name string
|
||||
|
||||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Required. OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>.')
|
||||
param authorizationEndpoint string
|
||||
|
||||
@description('Optional. HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE.')
|
||||
param authorizationMethods array = [
|
||||
'GET'
|
||||
]
|
||||
|
||||
@description('Optional. Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query.')
|
||||
param bearerTokenSendingMethods array = [
|
||||
'authorizationHeader'
|
||||
]
|
||||
|
||||
@description('Optional. Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body.')
|
||||
param clientAuthenticationMethod array = [
|
||||
'Basic'
|
||||
]
|
||||
|
||||
@description('Required. Client or app ID registered with this authorization server.')
|
||||
@secure()
|
||||
param clientId string
|
||||
|
||||
@description('Optional. Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced.')
|
||||
param clientRegistrationEndpoint string = ''
|
||||
|
||||
@description('Required. Client or app secret registered with this authorization server. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
|
||||
@secure()
|
||||
param clientSecret string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values.')
|
||||
param defaultScope string = ''
|
||||
|
||||
@description('Optional. Description of the authorization server. Can contain HTML formatting tags.')
|
||||
param serverDescription string = ''
|
||||
|
||||
@description('Required. Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials.')
|
||||
param grantTypes array
|
||||
|
||||
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password.')
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param resourceOwnerPassword string = ''
|
||||
|
||||
@description('Optional. Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username.')
|
||||
param resourceOwnerUsername string = ''
|
||||
|
||||
@description('Optional. If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security.')
|
||||
param supportState bool = false
|
||||
|
||||
@description('Optional. Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object.')
|
||||
param tokenBodyParameters array = []
|
||||
|
||||
@description('Optional. OAuth token endpoint. Contains absolute URI to entity being referenced.')
|
||||
param tokenEndpoint string = ''
|
||||
|
||||
var defaultAuthorizationMethods = [
|
||||
'GET'
|
||||
]
|
||||
var setAuthorizationMethods = union(authorizationMethods, defaultAuthorizationMethods)
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource authorizationServer 'Microsoft.ApiManagement/service/authorizationServers@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
description: serverDescription
|
||||
authorizationMethods: setAuthorizationMethods
|
||||
clientAuthenticationMethod: clientAuthenticationMethod
|
||||
tokenBodyParameters: tokenBodyParameters
|
||||
tokenEndpoint: tokenEndpoint
|
||||
supportState: supportState
|
||||
defaultScope: defaultScope
|
||||
bearerTokenSendingMethods: bearerTokenSendingMethods
|
||||
resourceOwnerUsername: resourceOwnerUsername
|
||||
resourceOwnerPassword: resourceOwnerPassword
|
||||
displayName: name
|
||||
clientRegistrationEndpoint: clientRegistrationEndpoint
|
||||
authorizationEndpoint: authorizationEndpoint
|
||||
grantTypes: grantTypes
|
||||
clientId: clientId
|
||||
clientSecret: clientSecret
|
||||
}
|
||||
}
|
||||
|
||||
@description('The name of the API management service authorization server.')
|
||||
output name string = authorizationServer.name
|
||||
|
||||
@description('The resource ID of the API management service authorization server.')
|
||||
output resourceId string = authorizationServer.id
|
||||
|
||||
@description('The resource group the API management service authorization server was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,67 +0,0 @@
|
|||
# API Management Service Authorization Servers `[Microsoft.ApiManagement/service/authorizationServers]`
|
||||
|
||||
This module deploys API Management Service Authorization Servers.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) |
|
||||
|
||||
### Resource dependency
|
||||
|
||||
The following resources are required to be able to deploy this resource.
|
||||
|
||||
- `Microsoft.ApiManagement/service`
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `authorizationEndpoint` | string | OAuth authorization endpoint. See <http://tools.ietf.org/html/rfc6749#section-3.2>. |
|
||||
| `clientId` | secureString | Client or app ID registered with this authorization server. |
|
||||
| `clientSecret` | secureString | Client or app secret registered with this authorization server. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. |
|
||||
| `grantTypes` | array | Form of an authorization grant, which the client uses to request the access token. - authorizationCode, implicit, resourceOwnerPassword, clientCredentials. |
|
||||
| `name` | string | Identifier of the authorization server. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `authorizationMethods` | array | `[GET]` | HTTP verbs supported by the authorization endpoint. GET must be always present. POST is optional. - HEAD, OPTIONS, TRACE, GET, POST, PUT, PATCH, DELETE. |
|
||||
| `bearerTokenSendingMethods` | array | `[authorizationHeader]` | Specifies the mechanism by which access token is passed to the API. - authorizationHeader or query. |
|
||||
| `clientAuthenticationMethod` | array | `[Basic]` | Method of authentication supported by the token endpoint of this authorization server. Possible values are Basic and/or Body. When Body is specified, client credentials and other parameters are passed within the request body in the application/x-www-form-urlencoded format. - Basic or Body. |
|
||||
| `clientRegistrationEndpoint` | string | `''` | Optional reference to a page where client or app registration for this authorization server is performed. Contains absolute URL to entity being referenced. |
|
||||
| `defaultScope` | string | `''` | Access token scope that is going to be requested by default. Can be overridden at the API level. Should be provided in the form of a string containing space-delimited values. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `resourceOwnerPassword` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner password. |
|
||||
| `resourceOwnerUsername` | string | `''` | Can be optionally specified when resource owner password grant type is supported by this authorization server. Default resource owner username. |
|
||||
| `serverDescription` | string | `''` | Description of the authorization server. Can contain HTML formatting tags. |
|
||||
| `supportState` | bool | `False` | If true, authorization server will include state parameter from the authorization request to its response. Client may use state parameter to raise protocol security. |
|
||||
| `tokenBodyParameters` | array | `[]` | Additional parameters required by the token endpoint of this authorization server represented as an array of JSON objects with name and value string properties, i.e. {"name" : "name value", "value": "a value"}. - TokenBodyParameterContract object. |
|
||||
| `tokenEndpoint` | string | `''` | OAuth token endpoint. Contains absolute URI to entity being referenced. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service authorization server. |
|
||||
| `resourceGroupName` | string | The resource group the API management service authorization server was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service authorization server. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,81 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Required. Backend Name.')
|
||||
param name string
|
||||
|
||||
@description('Optional. Backend Credentials Contract Properties.')
|
||||
param credentials object = {}
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Backend Description.')
|
||||
param backendDescription string = ''
|
||||
|
||||
@description('Optional. Backend communication protocol. - http or soap.')
|
||||
param protocol string = 'http'
|
||||
|
||||
@description('Optional. Backend Proxy Contract Properties.')
|
||||
param proxy object = {}
|
||||
|
||||
@description('Optional. Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps.')
|
||||
param resourceId string = ''
|
||||
|
||||
@description('Optional. Backend Service Fabric Cluster Properties.')
|
||||
param serviceFabricCluster object = {}
|
||||
|
||||
@description('Optional. Backend Title.')
|
||||
param title string = ''
|
||||
|
||||
@description('Optional. Backend TLS Properties.')
|
||||
param tls object = {
|
||||
validateCertificateChain: false
|
||||
validateCertificateName: false
|
||||
}
|
||||
|
||||
@description('Required. Runtime URL of the Backend.')
|
||||
param url string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource backend 'Microsoft.ApiManagement/service/backends@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
title: !empty(title) ? title : null
|
||||
description: !empty(backendDescription) ? backendDescription : null
|
||||
resourceId: !empty(resourceId) ? resourceId : null
|
||||
properties: {
|
||||
serviceFabricCluster: !empty(serviceFabricCluster) ? serviceFabricCluster : null
|
||||
}
|
||||
credentials: !empty(credentials) ? credentials : null
|
||||
proxy: !empty(proxy) ? proxy : null
|
||||
tls: !empty(tls) ? tls : null
|
||||
url: url
|
||||
protocol: protocol
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service backend.')
|
||||
output resourceId string = backend.id
|
||||
|
||||
@description('The name of the API management service backend.')
|
||||
output name string = backend.name
|
||||
|
||||
@description('The resource group the API management service backend was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,146 +0,0 @@
|
|||
# API Management Service Backends `[Microsoft.ApiManagement/service/backends]`
|
||||
|
||||
This module deploys API Management Service Backends.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) |
|
||||
|
||||
### Resource dependency
|
||||
|
||||
The following resources are required to be able to deploy this resource.
|
||||
|
||||
- `Microsoft.ApiManagement/service`
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Backend Name. |
|
||||
| `url` | string | Runtime URL of the Backend. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `backendDescription` | string | `''` | Backend Description. |
|
||||
| `credentials` | object | `{object}` | Backend Credentials Contract Properties. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `protocol` | string | `'http'` | Backend communication protocol. - http or soap. |
|
||||
| `proxy` | object | `{object}` | Backend Proxy Contract Properties. |
|
||||
| `resourceId` | string | `''` | Management Uri of the Resource in External System. This URL can be the Arm Resource ID of Logic Apps, Function Apps or API Apps. |
|
||||
| `serviceFabricCluster` | object | `{object}` | Backend Service Fabric Cluster Properties. |
|
||||
| `title` | string | `''` | Backend Title. |
|
||||
| `tls` | object | `{object}` | Backend TLS Properties. |
|
||||
|
||||
|
||||
### Parameter Usage: Credentials
|
||||
|
||||
| Parameter Name| Type | Default Value | Possible values | Description |
|
||||
| :-- | :-- | :--- | :-- | :- |
|
||||
| `certificate` | array | | | Optional. List of Client Certificate Thumbprint. - string |
|
||||
| `query` | object | | | Optional. Query Parameter description. |
|
||||
| `header` | object | | | Optional. Header Parameter description. |
|
||||
| `authorization` | object | | | Optional. Authorization header authentication |
|
||||
|
||||
### Parameter Usage: `credentials`
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"credentials": {
|
||||
"value":{
|
||||
"certificate": [
|
||||
"string"
|
||||
],
|
||||
"query": {},
|
||||
"header": {},
|
||||
"authorization": {
|
||||
"scheme": "Authentication Scheme name.-string",
|
||||
"parameter": "Authentication Parameter value. - string"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
credentials: {
|
||||
certificate: [
|
||||
'string'
|
||||
]
|
||||
query: {}
|
||||
header: {}
|
||||
authorization: {
|
||||
scheme: 'Authentication Scheme name.-string'
|
||||
parameter: 'Authentication Parameter value. - string'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `tls`
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tls": {
|
||||
"value":{
|
||||
"validateCertificateChain": "Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean",
|
||||
"validateCertificateName": "Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tls: {
|
||||
validateCertificateChain: 'Flag indicating whether SSL certificate chain validation should be done when using self-signed certificates for this backend host. - boolean'
|
||||
validateCertificateName: 'Flag indicating whether SSL certificate name validation should be done when using self-signed certificates for this backend host. - boolean'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service backend. |
|
||||
| `resourceGroupName` | string | The resource group the API management service backend was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service backend. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,56 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Required. Identifier of the Cache entity. Cache identifier (should be either \'default\' or valid Azure region identifier).')
|
||||
param name string
|
||||
|
||||
@description('Required. Runtime connection string to cache. Can be referenced by a named value like so, {{<named-value>}}.')
|
||||
param connectionString string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Cache description.')
|
||||
param cacheDescription string = ''
|
||||
|
||||
@description('Optional. Original uri of entity in external system cache points to.')
|
||||
param resourceId string = ''
|
||||
|
||||
@description('Required. Location identifier to use cache from (should be either \'default\' or valid Azure region identifier).')
|
||||
param useFromLocation string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource cache 'Microsoft.ApiManagement/service/caches@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
description: !empty(cacheDescription) ? cacheDescription : null
|
||||
connectionString: connectionString
|
||||
useFromLocation: useFromLocation
|
||||
resourceId: !empty(resourceId) ? resourceId : null
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service cache.')
|
||||
output resourceId string = cache.id
|
||||
|
||||
@description('The name of the API management service cache.')
|
||||
output name string = cache.name
|
||||
|
||||
@description('The resource group the API management service cache was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,50 +0,0 @@
|
|||
# API Management Service Cache `[Microsoft.ApiManagement/service/caches]`
|
||||
|
||||
This module deploys an API Management Service Cache.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `connectionString` | string | Runtime connection string to cache. Can be referenced by a named value like so, {{<named-value>}}. |
|
||||
| `name` | string | Identifier of the Cache entity. Cache identifier (should be either 'default' or valid Azure region identifier). |
|
||||
| `useFromLocation` | string | Location identifier to use cache from (should be either 'default' or valid Azure region identifier). |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `cacheDescription` | string | `''` | Cache description. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `resourceId` | string | `''` | Original uri of entity in external system cache points to. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service cache. |
|
||||
| `resourceGroupName` | string | The resource group the API management service cache was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service cache. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,470 +0,0 @@
|
|||
@description('Optional. Additional datacenter locations of the API Management service.')
|
||||
param additionalLocations array = []
|
||||
|
||||
@description('Required. The name of the API Management service.')
|
||||
param name string
|
||||
|
||||
@description('Optional. List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10.')
|
||||
@maxLength(10)
|
||||
param certificates array = []
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Custom properties of the API Management service.')
|
||||
param customProperties object = {}
|
||||
|
||||
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
|
||||
@minValue(0)
|
||||
@maxValue(365)
|
||||
param diagnosticLogsRetentionInDays int = 365
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic storage account.')
|
||||
param diagnosticStorageAccountId string = ''
|
||||
|
||||
@description('Optional. Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region.')
|
||||
param disableGateway bool = false
|
||||
|
||||
@description('Optional. Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway.')
|
||||
param enableClientCertificate bool = false
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
|
||||
param diagnosticEventHubAuthorizationRuleId string = ''
|
||||
|
||||
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
|
||||
param diagnosticEventHubName string = ''
|
||||
|
||||
@description('Optional. Custom hostname configuration of the API Management service.')
|
||||
param hostnameConfigurations array = []
|
||||
|
||||
@description('Optional. Enables system assigned managed identity on the resource.')
|
||||
param systemAssignedIdentity bool = false
|
||||
|
||||
@description('Optional. The ID(s) to assign to the resource.')
|
||||
param userAssignedIdentities object = {}
|
||||
|
||||
@description('Optional. Location for all Resources.')
|
||||
param location string = resourceGroup().location
|
||||
|
||||
@allowed([
|
||||
''
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Optional. Specify the type of lock.')
|
||||
param lock string = ''
|
||||
|
||||
@description('Optional. Limit control plane API calls to API Management service with version equal to or newer than this value.')
|
||||
param minApiVersion string = ''
|
||||
|
||||
@description('Optional. The notification sender email address for the service.')
|
||||
param notificationSenderEmail string = 'apimgmt-noreply@mail.windowsazure.com'
|
||||
|
||||
@description('Required. The email address of the owner of the service.')
|
||||
param publisherEmail string
|
||||
|
||||
@description('Required. The name of the owner of the service.')
|
||||
param publisherName string
|
||||
|
||||
@description('Optional. Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored.')
|
||||
param restore bool = false
|
||||
|
||||
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
|
||||
param roleAssignments array = []
|
||||
|
||||
@description('Optional. The pricing tier of this API Management service.')
|
||||
@allowed([
|
||||
'Consumption'
|
||||
'Developer'
|
||||
'Basic'
|
||||
'Standard'
|
||||
'Premium'
|
||||
])
|
||||
param sku string = 'Developer'
|
||||
|
||||
@description('Optional. The instance size of this API Management service.')
|
||||
@allowed([
|
||||
1
|
||||
2
|
||||
])
|
||||
param skuCount int = 1
|
||||
|
||||
@description('Optional. The full resource ID of a subnet in a virtual network to deploy the API Management service in.')
|
||||
param subnetResourceId string = ''
|
||||
|
||||
@description('Optional. Tags of the resource.')
|
||||
param tags object = {}
|
||||
|
||||
@description('Optional. The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only.')
|
||||
@allowed([
|
||||
'None'
|
||||
'External'
|
||||
'Internal'
|
||||
])
|
||||
param virtualNetworkType string = 'None'
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
|
||||
param diagnosticWorkspaceId string = ''
|
||||
|
||||
@description('Optional. A list of availability zones denoting where the resource needs to come from.')
|
||||
param zones array = []
|
||||
|
||||
@description('Optional. The name of logs that will be streamed.')
|
||||
@allowed([
|
||||
'GatewayLogs'
|
||||
])
|
||||
param diagnosticLogCategoriesToEnable array = [
|
||||
'GatewayLogs'
|
||||
]
|
||||
|
||||
@description('Optional. The name of metrics that will be streamed.')
|
||||
@allowed([
|
||||
'AllMetrics'
|
||||
])
|
||||
param diagnosticMetricsToEnable array = [
|
||||
'AllMetrics'
|
||||
]
|
||||
@description('Optional. Necessary to create a new GUID.')
|
||||
param newGuidValue string = newGuid()
|
||||
|
||||
@description('Optional. APIs.')
|
||||
param apis array = []
|
||||
@description('Optional. API Version Sets.')
|
||||
param apiVersionSets array = []
|
||||
@description('Optional. Authorization servers.')
|
||||
param authorizationServers array = []
|
||||
@description('Optional. Backends.')
|
||||
param backends array = []
|
||||
@description('Optional. Caches.')
|
||||
param caches array = []
|
||||
@description('Optional. Identity providers.')
|
||||
param identityProviders array = []
|
||||
@description('Optional. Named values.')
|
||||
param namedValues array = []
|
||||
@description('Optional. Policies.')
|
||||
param policies array = []
|
||||
@description('Optional. Portal settings.')
|
||||
param portalSettings array = []
|
||||
@description('Optional. Products.')
|
||||
param products array = []
|
||||
@description('Optional. Subscriptions.')
|
||||
param subscriptions array = []
|
||||
|
||||
@description('Optional. The name of the diagnostic setting, if deployed.')
|
||||
param diagnosticSettingsName string = '${name}-diagnosticSettings'
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
|
||||
category: category
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
|
||||
category: metric
|
||||
timeGrain: null
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
var identityType = systemAssignedIdentity ? (!empty(userAssignedIdentities) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned') : (!empty(userAssignedIdentities) ? 'UserAssigned' : 'None')
|
||||
|
||||
var identity = identityType != 'None' ? {
|
||||
type: identityType
|
||||
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
|
||||
} : null
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource apiManagementService 'Microsoft.ApiManagement/service@2021-08-01' = {
|
||||
name: name
|
||||
location: location
|
||||
tags: tags
|
||||
sku: {
|
||||
name: sku
|
||||
capacity: skuCount
|
||||
}
|
||||
zones: zones
|
||||
identity: identity
|
||||
properties: {
|
||||
publisherEmail: publisherEmail
|
||||
publisherName: publisherName
|
||||
notificationSenderEmail: notificationSenderEmail
|
||||
hostnameConfigurations: hostnameConfigurations
|
||||
additionalLocations: additionalLocations
|
||||
customProperties: customProperties
|
||||
certificates: certificates
|
||||
enableClientCertificate: enableClientCertificate ? true : null
|
||||
disableGateway: disableGateway
|
||||
virtualNetworkType: virtualNetworkType
|
||||
virtualNetworkConfiguration: !empty(subnetResourceId) ? json('{"subnetResourceId": "${subnetResourceId}"}') : null
|
||||
apiVersionConstraint: !empty(minApiVersion) ? json('{"minApiVersion": "${minApiVersion}"}') : null
|
||||
restore: restore
|
||||
}
|
||||
}
|
||||
|
||||
module apis_resource 'apis/deploy.bicep' = [for (api, index) in apis: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Api-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
displayName: api.displayName
|
||||
name: api.name
|
||||
path: api.path
|
||||
apiDescription: contains(api, 'apiDescription') ? api.apiDescription : ''
|
||||
apiRevision: contains(api, 'apiRevision') ? api.apiRevision : ''
|
||||
apiRevisionDescription: contains(api, 'apiRevisionDescription') ? api.apiRevisionDescription : ''
|
||||
apiType: contains(api, 'apiType') ? api.apiType : 'http'
|
||||
apiVersion: contains(api, 'apiVersion') ? api.apiVersion : ''
|
||||
apiVersionDescription: contains(api, 'apiVersionDescription') ? api.apiVersionDescription : ''
|
||||
apiVersionSetId: contains(api, 'apiVersionSetId') ? api.apiVersionSetId : ''
|
||||
authenticationSettings: contains(api, 'authenticationSettings') ? api.authenticationSettings : {}
|
||||
format: contains(api, 'format') ? api.format : 'openapi'
|
||||
isCurrent: contains(api, 'isCurrent') ? api.isCurrent : true
|
||||
protocols: contains(api, 'protocols') ? api.protocols : [
|
||||
'https'
|
||||
]
|
||||
policies: contains(api, 'policies') ? api.policies : []
|
||||
serviceUrl: contains(api, 'serviceUrl') ? api.serviceUrl : ''
|
||||
sourceApiId: contains(api, 'sourceApiId') ? api.sourceApiId : ''
|
||||
subscriptionKeyParameterNames: contains(api, 'subscriptionKeyParameterNames') ? api.subscriptionKeyParameterNames : {}
|
||||
subscriptionRequired: contains(api, 'subscriptionRequired') ? api.subscriptionRequired : false
|
||||
type: contains(api, 'type') ? api.type : 'http'
|
||||
value: contains(api, 'value') ? api.value : ''
|
||||
wsdlSelector: contains(api, 'wsdlSelector') ? api.wsdlSelector : {}
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
dependsOn: [
|
||||
apiVersionSet_resource
|
||||
]
|
||||
}]
|
||||
|
||||
module apiVersionSet_resource 'apiVersionSets/deploy.bicep' = [for (apiVersionSet, index) in apiVersionSets: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-ApiVersionSet-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
name: apiVersionSet.name
|
||||
properties: contains(apiVersionSet, 'properties') ? apiVersionSet.properties : {}
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module authorizationServers_resource '.bicep/nested_authorizationServers.bicep' = [for (authorizationServer, index) in authorizationServers: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-AuthorizationServer-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
name: authorizationServer.name
|
||||
authorizationEndpoint: authorizationServer.authorizationEndpoint
|
||||
authorizationMethods: contains(authorizationServer, 'authorizationMethods') ? authorizationServer.authorizationMethods : [
|
||||
'GET'
|
||||
]
|
||||
bearerTokenSendingMethods: contains(authorizationServer, 'bearerTokenSendingMethods') ? authorizationServer.bearerTokenSendingMethods : [
|
||||
'authorizationHeader'
|
||||
]
|
||||
clientAuthenticationMethod: contains(authorizationServer, 'clientAuthenticationMethod') ? authorizationServer.clientAuthenticationMethod : [
|
||||
'Basic'
|
||||
]
|
||||
clientCredentialsKeyVaultId: authorizationServer.clientCredentialsKeyVaultId
|
||||
clientIdSecretName: authorizationServer.clientIdSecretName
|
||||
clientSecretSecretName: authorizationServer.clientSecretSecretName
|
||||
clientRegistrationEndpoint: contains(authorizationServer, 'clientRegistrationEndpoint') ? authorizationServer.clientRegistrationEndpoint : ''
|
||||
defaultScope: contains(authorizationServer, 'defaultScope') ? authorizationServer.defaultScope : ''
|
||||
grantTypes: authorizationServer.grantTypes
|
||||
resourceOwnerPassword: contains(authorizationServer, 'resourceOwnerPassword') ? authorizationServer.resourceOwnerPassword : ''
|
||||
resourceOwnerUsername: contains(authorizationServer, 'resourceOwnerUsername') ? authorizationServer.resourceOwnerUsername : ''
|
||||
serverDescription: contains(authorizationServer, 'serverDescription') ? authorizationServer.serverDescription : ''
|
||||
supportState: contains(authorizationServer, 'supportState') ? authorizationServer.supportState : false
|
||||
tokenBodyParameters: contains(authorizationServer, 'tokenBodyParameters') ? authorizationServer.tokenBodyParameters : []
|
||||
tokenEndpoint: contains(authorizationServer, 'tokenEndpoint') ? authorizationServer.tokenEndpoint : ''
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module backends_resource 'backends/deploy.bicep' = [for (backend, index) in backends: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Backend-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
url: contains(backend, 'url') ? backend.url : ''
|
||||
backendDescription: contains(backend, 'backendDescription') ? backend.backendDescription : ''
|
||||
credentials: contains(backend, 'credentials') ? backend.credentials : {}
|
||||
name: backend.name
|
||||
protocol: contains(backend, 'protocol') ? backend.protocol : 'http'
|
||||
proxy: contains(backend, 'proxy') ? backend.proxy : {}
|
||||
resourceId: contains(backend, 'resourceId') ? backend.resourceId : ''
|
||||
serviceFabricCluster: contains(backend, 'serviceFabricCluster') ? backend.serviceFabricCluster : {}
|
||||
title: contains(backend, 'title') ? backend.title : ''
|
||||
tls: contains(backend, 'tls') ? backend.tls : {
|
||||
validateCertificateChain: false
|
||||
validateCertificateName: false
|
||||
}
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module caches_resource 'caches/deploy.bicep' = [for (cache, index) in caches: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Cache-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
cacheDescription: contains(cache, 'cacheDescription') ? cache.cacheDescription : ''
|
||||
connectionString: cache.connectionString
|
||||
name: cache.name
|
||||
resourceId: contains(cache, 'resourceId') ? cache.resourceId : ''
|
||||
useFromLocation: cache.useFromLocation
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module identityProvider_resource 'identityProviders/deploy.bicep' = [for (identityProvider, index) in identityProviders: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-IdentityProvider-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
name: identityProvider.name
|
||||
enableIdentityProviders: contains(identityProvider, 'enableIdentityProviders') ? identityProvider.enableIdentityProviders : false
|
||||
identityProviderAllowedTenants: contains(identityProvider, 'identityProviderAllowedTenants') ? identityProvider.identityProviderAllowedTenants : []
|
||||
identityProviderAuthority: contains(identityProvider, 'identityProviderAuthority') ? identityProvider.identityProviderAuthority : ''
|
||||
identityProviderClientId: contains(identityProvider, 'identityProviderClientId') ? identityProvider.identityProviderClientId : ''
|
||||
identityProviderClientSecret: contains(identityProvider, 'identityProviderClientSecret') ? identityProvider.identityProviderClientSecret : ''
|
||||
identityProviderPasswordResetPolicyName: contains(identityProvider, 'identityProviderPasswordResetPolicyName') ? identityProvider.identityProviderPasswordResetPolicyName : ''
|
||||
identityProviderProfileEditingPolicyName: contains(identityProvider, 'identityProviderProfileEditingPolicyName') ? identityProvider.identityProviderProfileEditingPolicyName : ''
|
||||
identityProviderSignInPolicyName: contains(identityProvider, 'identityProviderSignInPolicyName') ? identityProvider.identityProviderSignInPolicyName : ''
|
||||
identityProviderSignInTenant: contains(identityProvider, 'identityProviderSignInTenant') ? identityProvider.identityProviderSignInTenant : ''
|
||||
identityProviderSignUpPolicyName: contains(identityProvider, 'identityProviderSignUpPolicyName') ? identityProvider.identityProviderSignUpPolicyName : ''
|
||||
identityProviderType: contains(identityProvider, 'identityProviderType') ? identityProvider.identityProviderType : 'aad'
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module namedValues_resource 'namedValues/deploy.bicep' = [for (namedValue, index) in namedValues: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-NamedValue-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
displayName: namedValue.displayName
|
||||
keyVault: contains(namedValue, 'keyVault') ? namedValue.keyVault : {}
|
||||
name: namedValue.name
|
||||
namedValueTags: contains(namedValue, 'namedValueTags') ? namedValue.namedValueTags : []
|
||||
secret: contains(namedValue, 'secret') ? namedValue.secret : false
|
||||
value: contains(namedValue, 'value') ? namedValue.value : newGuidValue
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module portalSettings_resource 'portalsettings/deploy.bicep' = [for (portalSetting, index) in portalSettings: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-PortalSetting-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
name: portalSetting.name
|
||||
properties: contains(portalSetting, 'properties') ? portalSetting.properties : {}
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module policy_resource 'policies/deploy.bicep' = [for (policy, index) in policies: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Policy-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
value: policy.value
|
||||
format: contains(policy, 'format') ? policy.format : 'xml'
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module products_resource 'products/deploy.bicep' = [for (product, index) in products: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Product-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
apis: contains(product, 'apis') ? product.apis : []
|
||||
approvalRequired: contains(product, 'approvalRequired') ? product.approvalRequired : false
|
||||
groups: contains(product, 'groups') ? product.groups : []
|
||||
name: product.name
|
||||
productDescription: contains(product, 'productDescription') ? product.productDescription : ''
|
||||
state: contains(product, 'state') ? product.state : 'published'
|
||||
subscriptionRequired: contains(product, 'subscriptionRequired') ? product.subscriptionRequired : false
|
||||
subscriptionsLimit: contains(product, 'subscriptionsLimit') ? product.subscriptionsLimit : 1
|
||||
terms: contains(product, 'terms') ? product.terms : ''
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
dependsOn: [
|
||||
apis_resource
|
||||
]
|
||||
}]
|
||||
|
||||
module subscriptions_resource 'subscriptions/deploy.bicep' = [for (subscription, index) in subscriptions: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Subscription-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementService.name
|
||||
name: contains(subscription, 'name') ? subscription.name : ''
|
||||
allowTracing: contains(subscription, 'allowTracing') ? subscription.allowTracing : false
|
||||
ownerId: contains(subscription, 'ownerId') ? subscription.ownerId : ''
|
||||
primaryKey: contains(subscription, 'primaryKey') ? subscription.primaryKey : ''
|
||||
scope: contains(subscription, 'scope') ? subscription.scope : '/apis'
|
||||
secondaryKey: contains(subscription, 'secondaryKey') ? subscription.secondaryKey : ''
|
||||
state: contains(subscription, 'state') ? subscription.state : ''
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
resource apiManagementService_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
|
||||
name: '${apiManagementService.name}-${lock}-lock'
|
||||
properties: {
|
||||
level: any(lock)
|
||||
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
}
|
||||
scope: apiManagementService
|
||||
}
|
||||
|
||||
resource apiManagementService_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = if (!empty(diagnosticStorageAccountId) || !empty(diagnosticWorkspaceId) || !empty(diagnosticEventHubAuthorizationRuleId) || !empty(diagnosticEventHubName)) {
|
||||
name: diagnosticSettingsName
|
||||
properties: {
|
||||
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
|
||||
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
|
||||
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
|
||||
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
|
||||
metrics: diagnosticsMetrics
|
||||
logs: diagnosticsLogs
|
||||
}
|
||||
scope: apiManagementService
|
||||
}
|
||||
|
||||
module apiManagementService_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
|
||||
name: '${uniqueString(deployment().name, location)}-Apim-Rbac-${index}'
|
||||
params: {
|
||||
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
|
||||
principalIds: roleAssignment.principalIds
|
||||
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
|
||||
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
|
||||
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
|
||||
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
|
||||
resourceId: apiManagementService.id
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The name of the API management service.')
|
||||
output name string = apiManagementService.name
|
||||
|
||||
@description('The resource ID of the API management service.')
|
||||
output resourceId string = apiManagementService.id
|
||||
|
||||
@description('The resource group the API management service was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@description('The principal ID of the system assigned identity.')
|
||||
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(apiManagementService.identity, 'principalId') ? apiManagementService.identity.principalId : ''
|
||||
|
||||
@description('The location the resource was deployed into.')
|
||||
output location string = apiManagementService.location
|
|
@ -1,95 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Used to enable the deployment of the identityProviders child resource.')
|
||||
param enableIdentityProviders bool = false
|
||||
|
||||
@description('Optional. List of Allowed Tenants when configuring Azure Active Directory login. - string.')
|
||||
param identityProviderAllowedTenants array = []
|
||||
|
||||
@description('Optional. OpenID Connect discovery endpoint hostname for AAD or AAD B2C.')
|
||||
param identityProviderAuthority string = ''
|
||||
|
||||
@description('Conditional. Client ID of the Application in the external Identity Provider. Required if identity provider is used.')
|
||||
param identityProviderClientId string = ''
|
||||
|
||||
@description('Conditional. Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used.')
|
||||
@secure()
|
||||
param identityProviderClientSecret string = ''
|
||||
|
||||
@description('Optional. Password Reset Policy Name. Only applies to AAD B2C Identity Provider.')
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param identityProviderPasswordResetPolicyName string = ''
|
||||
|
||||
@description('Optional. Profile Editing Policy Name. Only applies to AAD B2C Identity Provider.')
|
||||
param identityProviderProfileEditingPolicyName string = ''
|
||||
|
||||
@description('Optional. Signin Policy Name. Only applies to AAD B2C Identity Provider.')
|
||||
param identityProviderSignInPolicyName string = ''
|
||||
|
||||
@description('Optional. The TenantId to use instead of Common when logging into Active Directory.')
|
||||
param identityProviderSignInTenant string = ''
|
||||
|
||||
@description('Optional. Signup Policy Name. Only applies to AAD B2C Identity Provider.')
|
||||
param identityProviderSignUpPolicyName string = ''
|
||||
|
||||
@description('Optional. Identity Provider Type identifier.')
|
||||
@allowed([
|
||||
'aad'
|
||||
'aadB2C'
|
||||
'facebook'
|
||||
'google'
|
||||
'microsoft'
|
||||
'twitter'
|
||||
])
|
||||
param identityProviderType string = 'aad'
|
||||
|
||||
@description('Required. Identity provider name.')
|
||||
param name string
|
||||
|
||||
var isAadB2C = (identityProviderType == 'aadB2C')
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource identityProvider 'Microsoft.ApiManagement/service/identityProviders@2021-08-01' = if (enableIdentityProviders) {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
type: identityProviderType
|
||||
signinTenant: identityProviderSignInTenant
|
||||
allowedTenants: identityProviderAllowedTenants
|
||||
authority: identityProviderAuthority
|
||||
signupPolicyName: isAadB2C ? identityProviderSignUpPolicyName : null
|
||||
signinPolicyName: isAadB2C ? identityProviderSignInPolicyName : null
|
||||
profileEditingPolicyName: isAadB2C ? identityProviderProfileEditingPolicyName : null
|
||||
passwordResetPolicyName: isAadB2C ? identityProviderPasswordResetPolicyName : null
|
||||
clientId: identityProviderClientId
|
||||
clientSecret: identityProviderClientSecret
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service identity provider.')
|
||||
output resourceId string = identityProvider.id
|
||||
|
||||
@description('The name of the API management service identity provider.')
|
||||
output name string = identityProvider.name
|
||||
|
||||
@description('The resource group the API management service identity provider was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,57 +0,0 @@
|
|||
# API Management Service Identity Providers `[Microsoft.ApiManagement/service/identityProviders]`
|
||||
|
||||
This module deploys API Management Service Identity Provider.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Identity provider name. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
| `identityProviderClientId` | string | `''` | Client ID of the Application in the external Identity Provider. Required if identity provider is used. |
|
||||
| `identityProviderClientSecret` | secureString | `''` | Client secret of the Application in external Identity Provider, used to authenticate login request. Required if identity provider is used. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enableIdentityProviders` | bool | `False` | | Used to enable the deployment of the identityProviders child resource. |
|
||||
| `identityProviderAllowedTenants` | array | `[]` | | List of Allowed Tenants when configuring Azure Active Directory login. - string. |
|
||||
| `identityProviderAuthority` | string | `''` | | OpenID Connect discovery endpoint hostname for AAD or AAD B2C. |
|
||||
| `identityProviderPasswordResetPolicyName` | string | `''` | | Password Reset Policy Name. Only applies to AAD B2C Identity Provider. |
|
||||
| `identityProviderProfileEditingPolicyName` | string | `''` | | Profile Editing Policy Name. Only applies to AAD B2C Identity Provider. |
|
||||
| `identityProviderSignInPolicyName` | string | `''` | | Signin Policy Name. Only applies to AAD B2C Identity Provider. |
|
||||
| `identityProviderSignInTenant` | string | `''` | | The TenantId to use instead of Common when logging into Active Directory. |
|
||||
| `identityProviderSignUpPolicyName` | string | `''` | | Signup Policy Name. Only applies to AAD B2C Identity Provider. |
|
||||
| `identityProviderType` | string | `'aad'` | `[aad, aadB2C, facebook, google, microsoft, twitter]` | Identity Provider Type identifier. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service identity provider. |
|
||||
| `resourceGroupName` | string | The resource group the API management service identity provider was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service identity provider. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string = ''
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Required. Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters.')
|
||||
param displayName string
|
||||
|
||||
@description('Optional. KeyVault location details of the namedValue.')
|
||||
param keyVault object = {}
|
||||
|
||||
@description('Required. Named value Name.')
|
||||
param name string
|
||||
|
||||
@description('Optional. Tags that when provided can be used to filter the NamedValue list. - string.')
|
||||
param namedValueTags array = []
|
||||
|
||||
@description('Optional. Determines whether the value is a secret and should be encrypted or not. Default value is false.')
|
||||
#disable-next-line secure-secrets-in-params // Not a secret
|
||||
param secret bool = false
|
||||
|
||||
@description('Optional. Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on \'GET\' operations! Use \'/listSecrets\' POST request to get the value.')
|
||||
param value string = newGuid()
|
||||
|
||||
var keyVaultEmpty = empty(keyVault)
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource namedValue 'Microsoft.ApiManagement/service/namedValues@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
tags: !empty(namedValueTags) ? namedValueTags : null
|
||||
secret: secret
|
||||
displayName: displayName
|
||||
value: keyVaultEmpty ? value : null
|
||||
keyVault: !keyVaultEmpty ? keyVault : null
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the named value.')
|
||||
output resourceId string = namedValue.id
|
||||
|
||||
@description('The name of the named value.')
|
||||
output name string = namedValue.name
|
||||
|
||||
@description('The resource group the named value was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,82 +0,0 @@
|
|||
# API Management Service Named Values `[Microsoft.ApiManagement/service/namedValues]`
|
||||
|
||||
This module deploys API Management Service Named Values.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `displayName` | string | Unique name of NamedValue. It may contain only letters, digits, period, dash, and underscore characters. |
|
||||
| `name` | string | Named value Name. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | `''` | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `keyVault` | object | `{object}` | KeyVault location details of the namedValue. |
|
||||
| `namedValueTags` | array | `[]` | Tags that when provided can be used to filter the NamedValue list. - string. |
|
||||
| `secret` | bool | `False` | Determines whether the value is a secret and should be encrypted or not. Default value is false. |
|
||||
| `value` | string | `[newGuid()]` | Value of the NamedValue. Can contain policy expressions. It may not be empty or consist only of whitespace. This property will not be filled on 'GET' operations! Use '/listSecrets' POST request to get the value. |
|
||||
|
||||
|
||||
### Parameter Usage: `keyVault`
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"keyVault": {
|
||||
"value":{
|
||||
"secretIdentifier":"Key vault secret identifier for fetching secret.",
|
||||
"identityClientId":"SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret."
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
keyVault: {
|
||||
secretIdentifier:'Key vault secret identifier for fetching secret.'
|
||||
identityClientId:'SystemAssignedIdentity or UserAssignedIdentity Client ID which will be used to access key vault secret.'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the named value. |
|
||||
| `resourceGroupName` | string | The resource group the named value was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the named value. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,54 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. The name of the policy.')
|
||||
param name string = 'policy'
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Format of the policyContent.')
|
||||
@allowed([
|
||||
'rawxml'
|
||||
'rawxml-link'
|
||||
'xml'
|
||||
'xml-link'
|
||||
])
|
||||
param format string = 'xml'
|
||||
|
||||
@description('Required. Contents of the Policy as defined by the format.')
|
||||
param value string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource policy 'Microsoft.ApiManagement/service/policies@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
format: format
|
||||
value: value
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service policy.')
|
||||
output resourceId string = policy.id
|
||||
|
||||
@description('The name of the API management service policy.')
|
||||
output name string = policy.name
|
||||
|
||||
@description('The resource group the API management service policy was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,48 +0,0 @@
|
|||
# API Management Service Policies `[Microsoft.ApiManagement/service/policies]`
|
||||
|
||||
This module deploys API Management Service Policy.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `value` | string | Contents of the Policy as defined by the format. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `format` | string | `'xml'` | `[rawxml, rawxml-link, xml, xml-link]` | Format of the policyContent. |
|
||||
| `name` | string | `'policy'` | | The name of the policy. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service policy. |
|
||||
| `resourceGroupName` | string | The resource group the API management service policy was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service policy. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,47 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Required. Portal setting name.')
|
||||
@allowed([
|
||||
'delegation'
|
||||
'signin'
|
||||
'signup'
|
||||
])
|
||||
param name string
|
||||
|
||||
@description('Optional. Portal setting properties.')
|
||||
param properties object = {}
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource portalSetting 'Microsoft.ApiManagement/service/portalsettings@2021-08-01' = if (!empty(properties)) {
|
||||
name: any(name)
|
||||
parent: service
|
||||
properties: properties
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service portal setting.')
|
||||
output resourceId string = portalSetting.id
|
||||
|
||||
@description('The name of the API management service portal setting.')
|
||||
output name string = portalSetting.name
|
||||
|
||||
@description('The resource group the API management service portal setting was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,47 +0,0 @@
|
|||
# API Management Service Portal Settings `[Microsoft.ApiManagement/service/portalsettings]`
|
||||
|
||||
This module deploys API Management Service Portal Setting.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `name` | string | `[delegation, signin, signup]` | Portal setting name. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `properties` | object | `{object}` | Portal setting properties. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service portal setting. |
|
||||
| `resourceGroupName` | string | The resource group the API management service portal setting was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service portal setting. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,45 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.')
|
||||
param productName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Required. Name of the product API.')
|
||||
param name string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
|
||||
resource product 'products@2021-04-01-preview' existing = {
|
||||
name: productName
|
||||
}
|
||||
}
|
||||
|
||||
resource api 'Microsoft.ApiManagement/service/products/apis@2021-08-01' = {
|
||||
name: name
|
||||
parent: service::product
|
||||
}
|
||||
|
||||
@description('The resource ID of the product API.')
|
||||
output resourceId string = api.id
|
||||
|
||||
@description('The name of the product API.')
|
||||
output name string = api.name
|
||||
|
||||
@description('The resource group the product API was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,47 +0,0 @@
|
|||
# API Management Service Products APIs `[Microsoft.ApiManagement/service/products/apis]`
|
||||
|
||||
This module deploys API Management Service Product APIs.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Name of the product API. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the product API. |
|
||||
| `resourceGroupName` | string | The resource group the product API was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the product API. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,99 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false.')
|
||||
param approvalRequired bool = false
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Product description. May include HTML formatting tags.')
|
||||
param productDescription string = ''
|
||||
|
||||
@description('Optional. Array of Product APIs.')
|
||||
param apis array = []
|
||||
|
||||
@description('Optional. Array of Product Groups.')
|
||||
param groups array = []
|
||||
|
||||
@description('Required. Product Name.')
|
||||
param name string
|
||||
|
||||
@description('Optional. whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published.')
|
||||
param state string = 'published'
|
||||
|
||||
@description('Optional. Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it\'s value is assumed to be true.')
|
||||
param subscriptionRequired bool = false
|
||||
|
||||
@description('Optional. Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false.')
|
||||
param subscriptionsLimit int = 1
|
||||
|
||||
@description('Optional. Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process.')
|
||||
param terms string = ''
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource product 'Microsoft.ApiManagement/service/products@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
description: productDescription
|
||||
displayName: name
|
||||
terms: terms
|
||||
subscriptionRequired: subscriptionRequired
|
||||
approvalRequired: subscriptionRequired ? approvalRequired : null
|
||||
subscriptionsLimit: subscriptionRequired ? subscriptionsLimit : null
|
||||
state: state
|
||||
}
|
||||
}
|
||||
|
||||
module product_apis 'apis/deploy.bicep' = [for (api, index) in apis: {
|
||||
name: '${deployment().name}-Api-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementServiceName
|
||||
name: api.name
|
||||
productName: name
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
module product_groups 'groups/deploy.bicep' = [for (group, index) in groups: {
|
||||
name: '${deployment().name}-Group-${index}'
|
||||
params: {
|
||||
apiManagementServiceName: apiManagementServiceName
|
||||
name: group.name
|
||||
productName: name
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The resource ID of the API management service product.')
|
||||
output resourceId string = product.id
|
||||
|
||||
@description('The name of the API management service product.')
|
||||
output name string = product.name
|
||||
|
||||
@description('The resource group the API management service product was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@description('The Resources IDs of the API management service product APIs.')
|
||||
output apiResourceIds array = [for index in range(0, length(apis)): product_apis[index].outputs.resourceId]
|
||||
|
||||
@description('The Resources IDs of the API management service product groups.')
|
||||
output groupResourceIds array = [for index in range(0, length(groups)): product_groups[index].outputs.resourceId]
|
|
@ -1,45 +0,0 @@
|
|||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Conditional. The name of the parent Product. Required if the template is used in a standalone deployment.')
|
||||
param productName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Required. Name of the product group.')
|
||||
param name string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
|
||||
resource product 'products@2021-04-01-preview' existing = {
|
||||
name: productName
|
||||
}
|
||||
}
|
||||
|
||||
resource group 'Microsoft.ApiManagement/service/products/groups@2021-08-01' = {
|
||||
name: name
|
||||
parent: service::product
|
||||
}
|
||||
|
||||
@description('The resource ID of the product group.')
|
||||
output resourceId string = group.id
|
||||
|
||||
@description('The name of the product group.')
|
||||
output name string = group.name
|
||||
|
||||
@description('The resource group the product group was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,47 +0,0 @@
|
|||
# API Management Service Products Groups `[Microsoft.ApiManagement/service/products/groups]`
|
||||
|
||||
This module deploys API Management Service Product Groups.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Name of the product group. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
| `productName` | string | The name of the parent Product. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the product group. |
|
||||
| `resourceGroupName` | string | The resource group the product group was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the product group. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,58 +0,0 @@
|
|||
# API Management Service Products `[Microsoft.ApiManagement/service/products]`
|
||||
|
||||
This module deploys API Management Service Products.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) |
|
||||
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
|
||||
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Product Name. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `apis` | _[apis](apis/readme.md)_ array | `[]` | Array of Product APIs. |
|
||||
| `approvalRequired` | bool | `False` | Whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the products APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the products APIs. Can be present only if subscriptionRequired property is present and has a value of false. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `groups` | _[groups](groups/readme.md)_ array | `[]` | Array of Product Groups. |
|
||||
| `productDescription` | string | `''` | Product description. May include HTML formatting tags. |
|
||||
| `state` | string | `'published'` | whether product is published or not. Published products are discoverable by users of developer portal. Non published products are visible only to administrators. Default state of Product is notPublished. - notPublished or published. |
|
||||
| `subscriptionRequired` | bool | `False` | Whether a product subscription is required for accessing APIs included in this product. If true, the product is referred to as "protected" and a valid subscription key is required for a request to an API included in the product to succeed. If false, the product is referred to as "open" and requests to an API included in the product can be made without a subscription key. If property is omitted when creating a new product it's value is assumed to be true. |
|
||||
| `subscriptionsLimit` | int | `1` | Whether the number of subscriptions a user can have to this product at the same time. Set to null or omit to allow unlimited per user subscriptions. Can be present only if subscriptionRequired property is present and has a value of false. |
|
||||
| `terms` | string | `''` | Product terms of use. Developers trying to subscribe to the product will be presented and required to accept these terms before they can complete the subscription process. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiResourceIds` | array | The Resources IDs of the API management service product APIs. |
|
||||
| `groupResourceIds` | array | The Resources IDs of the API management service product groups. |
|
||||
| `name` | string | The name of the API management service product. |
|
||||
| `resourceGroupName` | string | The resource group the API management service product was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service product. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,788 +0,0 @@
|
|||
# API Management Services `[Microsoft.ApiManagement/service]`
|
||||
|
||||
This module deploys an API management service.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Considerations](#Considerations)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service) |
|
||||
| `Microsoft.ApiManagement/service/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis) |
|
||||
| `Microsoft.ApiManagement/service/apis/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apis/policies) |
|
||||
| `Microsoft.ApiManagement/service/apiVersionSets` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/apiVersionSets) |
|
||||
| `Microsoft.ApiManagement/service/authorizationServers` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/authorizationServers) |
|
||||
| `Microsoft.ApiManagement/service/backends` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/backends) |
|
||||
| `Microsoft.ApiManagement/service/caches` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/caches) |
|
||||
| `Microsoft.ApiManagement/service/identityProviders` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/identityProviders) |
|
||||
| `Microsoft.ApiManagement/service/namedValues` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/namedValues) |
|
||||
| `Microsoft.ApiManagement/service/policies` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/policies) |
|
||||
| `Microsoft.ApiManagement/service/portalsettings` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/service) |
|
||||
| `Microsoft.ApiManagement/service/products` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products) |
|
||||
| `Microsoft.ApiManagement/service/products/apis` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/apis) |
|
||||
| `Microsoft.ApiManagement/service/products/groups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/products/groups) |
|
||||
| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API Management service. |
|
||||
| `publisherEmail` | string | The email address of the owner of the service. |
|
||||
| `publisherName` | string | The name of the owner of the service. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `additionalLocations` | array | `[]` | | Additional datacenter locations of the API Management service. |
|
||||
| `apis` | _[apis](apis/readme.md)_ array | `[]` | | APIs. |
|
||||
| `apiVersionSets` | _[apiVersionSets](apiVersionSets/readme.md)_ array | `[]` | | API Version Sets. |
|
||||
| `authorizationServers` | _[authorizationServers](authorizationServers/readme.md)_ array | `[]` | | Authorization servers. |
|
||||
| `backends` | _[backends](backends/readme.md)_ array | `[]` | | Backends. |
|
||||
| `caches` | _[caches](caches/readme.md)_ array | `[]` | | Caches. |
|
||||
| `certificates` | array | `[]` | | List of Certificates that need to be installed in the API Management service. Max supported certificates that can be installed is 10. |
|
||||
| `customProperties` | object | `{object}` | | Custom properties of the API Management service. |
|
||||
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
|
||||
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
|
||||
| `diagnosticLogCategoriesToEnable` | array | `[GatewayLogs]` | `[GatewayLogs]` | The name of logs that will be streamed. |
|
||||
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
|
||||
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
|
||||
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
|
||||
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
|
||||
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
|
||||
| `disableGateway` | bool | `False` | | Property only valid for an API Management service deployed in multiple locations. This can be used to disable the gateway in master region. |
|
||||
| `enableClientCertificate` | bool | `False` | | Property only meant to be used for Consumption SKU Service. This enforces a client certificate to be presented on each request to the gateway. This also enables the ability to authenticate the certificate in the policy on the gateway. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `hostnameConfigurations` | array | `[]` | | Custom hostname configuration of the API Management service. |
|
||||
| `identityProviders` | _[identityProviders](identityProviders/readme.md)_ array | `[]` | | Identity providers. |
|
||||
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
|
||||
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
|
||||
| `minApiVersion` | string | `''` | | Limit control plane API calls to API Management service with version equal to or newer than this value. |
|
||||
| `namedValues` | _[namedValues](namedValues/readme.md)_ array | `[]` | | Named values. |
|
||||
| `newGuidValue` | string | `[newGuid()]` | | Necessary to create a new GUID. |
|
||||
| `notificationSenderEmail` | string | `'apimgmt-noreply@mail.windowsazure.com'` | | The notification sender email address for the service. |
|
||||
| `policies` | _[policies](policies/readme.md)_ array | `[]` | | Policies. |
|
||||
| `portalSettings` | _[portalSettings](portalSettings/readme.md)_ array | `[]` | | Portal settings. |
|
||||
| `products` | _[products](products/readme.md)_ array | `[]` | | Products. |
|
||||
| `restore` | bool | `False` | | Undelete API Management Service if it was previously soft-deleted. If this flag is specified and set to True all other properties will be ignored. |
|
||||
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
|
||||
| `sku` | string | `'Developer'` | `[Basic, Consumption, Developer, Premium, Standard]` | The pricing tier of this API Management service. |
|
||||
| `skuCount` | int | `1` | `[1, 2]` | The instance size of this API Management service. |
|
||||
| `subnetResourceId` | string | `''` | | The full resource ID of a subnet in a virtual network to deploy the API Management service in. |
|
||||
| `subscriptions` | _[subscriptions](subscriptions/readme.md)_ array | `[]` | | Subscriptions. |
|
||||
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
|
||||
| `tags` | object | `{object}` | | Tags of the resource. |
|
||||
| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. |
|
||||
| `virtualNetworkType` | string | `'None'` | `[External, Internal, None]` | The type of VPN in which API Management service needs to be configured in. None (Default Value) means the API Management service is not part of any Virtual Network, External means the API Management deployment is set up inside a Virtual Network having an internet Facing Endpoint, and Internal means that API Management deployment is setup inside a Virtual Network having an Intranet Facing Endpoint only. |
|
||||
| `zones` | array | `[]` | | A list of availability zones denoting where the resource needs to come from. |
|
||||
|
||||
|
||||
### Parameter Usage: `roleAssignments`
|
||||
|
||||
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"description": "Reader Role Assignment",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012", // object 1
|
||||
"78945612-1234-1234-1234-123456789012" // object 2
|
||||
]
|
||||
},
|
||||
{
|
||||
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012" // object 1
|
||||
],
|
||||
"principalType": "ServicePrincipal"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
roleAssignments: [
|
||||
{
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
description: 'Reader Role Assignment'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
'78945612-1234-1234-1234-123456789012' // object 2
|
||||
]
|
||||
}
|
||||
{
|
||||
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
]
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `tags`
|
||||
|
||||
Tag names and tag values can be provided as needed. A tag can be left without a value.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tags": {
|
||||
"value": {
|
||||
"Environment": "Non-Prod",
|
||||
"Contact": "test.user@testcompany.com",
|
||||
"PurchaseOrder": "1234",
|
||||
"CostCenter": "7890",
|
||||
"ServiceName": "DeploymentValidation",
|
||||
"Role": "DeploymentValidation"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tags: {
|
||||
Environment: 'Non-Prod'
|
||||
Contact: 'test.user@testcompany.com'
|
||||
PurchaseOrder: '1234'
|
||||
CostCenter: '7890'
|
||||
ServiceName: 'DeploymentValidation'
|
||||
Role: 'DeploymentValidation'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `apiManagementServicePolicy`
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"apiManagementServicePolicy": {
|
||||
"value": {
|
||||
"value":"<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>",
|
||||
"format":"xml"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
apiManagementServicePolicy: {
|
||||
value:'<policies> <inbound> <rate-limit-by-key calls=\'250\' renewal-period='60' counter-key=\'@(context.Request.IpAddress)\' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
|
||||
format:'xml'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `userAssignedIdentities`
|
||||
|
||||
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"userAssignedIdentities": {
|
||||
"value": {
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
userAssignedIdentities: {
|
||||
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
|
||||
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | The name of the API management service. |
|
||||
| `resourceGroupName` | string | The resource group the API management service was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service. |
|
||||
| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
|
||||
|
||||
## Considerations
|
||||
|
||||
- *None*
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
|
||||
|
||||
| Reference | Type |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/authorizationServers` | Local reference |
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Max</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Service'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-az-apim-max-001'
|
||||
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
|
||||
publisherName: '<<namePrefix>>-az-amorg-x-001'
|
||||
// Non-required parameters
|
||||
apis: [
|
||||
{
|
||||
apiVersionSet: {
|
||||
name: 'echo-version-set'
|
||||
properties: {
|
||||
description: 'echo-version-set'
|
||||
displayName: 'echo-version-set'
|
||||
versioningScheme: 'Segment'
|
||||
}
|
||||
}
|
||||
displayName: 'Echo API'
|
||||
name: 'echo-api'
|
||||
path: 'echo'
|
||||
serviceUrl: 'http://echoapi.cloudapp.net/api'
|
||||
}
|
||||
]
|
||||
authorizationServers: [
|
||||
{
|
||||
authorizationEndpoint: 'https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize'
|
||||
clientCredentialsKeyVaultId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
|
||||
clientIdSecretName: 'apimclientid'
|
||||
clientRegistrationEndpoint: 'http://localhost'
|
||||
clientSecretSecretName: 'apimclientsecret'
|
||||
grantTypes: [
|
||||
'authorizationCode'
|
||||
]
|
||||
name: 'AuthServer1'
|
||||
tokenEndpoint: 'https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token'
|
||||
}
|
||||
]
|
||||
backends: [
|
||||
{
|
||||
name: 'backend'
|
||||
tls: {
|
||||
validateCertificateChain: false
|
||||
validateCertificateName: false
|
||||
}
|
||||
url: 'http://echoapi.cloudapp.net/api'
|
||||
}
|
||||
]
|
||||
caches: [
|
||||
{
|
||||
connectionString: 'connectionstringtest'
|
||||
name: 'westeurope'
|
||||
useFromLocation: 'westeurope'
|
||||
}
|
||||
]
|
||||
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
|
||||
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
|
||||
diagnosticLogsRetentionInDays: 7
|
||||
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
|
||||
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
|
||||
identityProviders: [
|
||||
{
|
||||
name: 'aadProvider'
|
||||
}
|
||||
]
|
||||
lock: 'CanNotDelete'
|
||||
namedValues: [
|
||||
{
|
||||
displayName: 'apimkey'
|
||||
name: 'apimkey'
|
||||
secret: true
|
||||
}
|
||||
]
|
||||
policies: [
|
||||
{
|
||||
format: 'xml'
|
||||
value: '<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
|
||||
}
|
||||
]
|
||||
portalSettings: [
|
||||
{
|
||||
name: 'signin'
|
||||
properties: {
|
||||
enabled: false
|
||||
}
|
||||
}
|
||||
{
|
||||
name: 'signup'
|
||||
properties: {
|
||||
enabled: false
|
||||
termsOfService: {
|
||||
consentRequired: false
|
||||
enabled: false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
products: [
|
||||
{
|
||||
apis: [
|
||||
{
|
||||
name: 'echo-api'
|
||||
}
|
||||
]
|
||||
approvalRequired: false
|
||||
groups: [
|
||||
{
|
||||
name: 'developers'
|
||||
}
|
||||
]
|
||||
name: 'Starter'
|
||||
subscriptionRequired: false
|
||||
}
|
||||
]
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
subscriptions: [
|
||||
{
|
||||
name: 'testArmSubscriptionAllApis'
|
||||
scope: '/apis'
|
||||
}
|
||||
]
|
||||
systemAssignedIdentity: true
|
||||
userAssignedIdentities: {
|
||||
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001': {}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-max-001"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"apis": {
|
||||
"value": [
|
||||
{
|
||||
"apiVersionSet": {
|
||||
"name": "echo-version-set",
|
||||
"properties": {
|
||||
"description": "echo-version-set",
|
||||
"displayName": "echo-version-set",
|
||||
"versioningScheme": "Segment"
|
||||
}
|
||||
},
|
||||
"displayName": "Echo API",
|
||||
"name": "echo-api",
|
||||
"path": "echo",
|
||||
"serviceUrl": "http://echoapi.cloudapp.net/api"
|
||||
}
|
||||
]
|
||||
},
|
||||
"authorizationServers": {
|
||||
"value": [
|
||||
{
|
||||
"authorizationEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize",
|
||||
"clientCredentialsKeyVaultId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001",
|
||||
"clientIdSecretName": "apimclientid",
|
||||
"clientRegistrationEndpoint": "http://localhost",
|
||||
"clientSecretSecretName": "apimclientsecret",
|
||||
"grantTypes": [
|
||||
"authorizationCode"
|
||||
],
|
||||
"name": "AuthServer1",
|
||||
"tokenEndpoint": "https://login.microsoftonline.com/651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token"
|
||||
}
|
||||
]
|
||||
},
|
||||
"backends": {
|
||||
"value": [
|
||||
{
|
||||
"name": "backend",
|
||||
"tls": {
|
||||
"validateCertificateChain": false,
|
||||
"validateCertificateName": false
|
||||
},
|
||||
"url": "http://echoapi.cloudapp.net/api"
|
||||
}
|
||||
]
|
||||
},
|
||||
"caches": {
|
||||
"value": [
|
||||
{
|
||||
"connectionString": "connectionstringtest",
|
||||
"name": "westeurope",
|
||||
"useFromLocation": "westeurope"
|
||||
}
|
||||
]
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"identityProviders": {
|
||||
"value": [
|
||||
{
|
||||
"name": "aadProvider"
|
||||
}
|
||||
]
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"namedValues": {
|
||||
"value": [
|
||||
{
|
||||
"displayName": "apimkey",
|
||||
"name": "apimkey",
|
||||
"secret": true
|
||||
}
|
||||
]
|
||||
},
|
||||
"policies": {
|
||||
"value": [
|
||||
{
|
||||
"format": "xml",
|
||||
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"portalSettings": {
|
||||
"value": [
|
||||
{
|
||||
"name": "signin",
|
||||
"properties": {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "signup",
|
||||
"properties": {
|
||||
"enabled": false,
|
||||
"termsOfService": {
|
||||
"consentRequired": false,
|
||||
"enabled": false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"products": {
|
||||
"value": [
|
||||
{
|
||||
"apis": [
|
||||
{
|
||||
"name": "echo-api"
|
||||
}
|
||||
],
|
||||
"approvalRequired": false,
|
||||
"groups": [
|
||||
{
|
||||
"name": "developers"
|
||||
}
|
||||
],
|
||||
"name": "Starter",
|
||||
"subscriptionRequired": false
|
||||
}
|
||||
]
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
]
|
||||
},
|
||||
"subscriptions": {
|
||||
"value": [
|
||||
{
|
||||
"name": "testArmSubscriptionAllApis",
|
||||
"scope": "/apis"
|
||||
}
|
||||
]
|
||||
},
|
||||
"systemAssignedIdentity": {
|
||||
"value": true
|
||||
},
|
||||
"userAssignedIdentities": {
|
||||
"value": {
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001": {}
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 2: Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Service'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-az-apim-min-001'
|
||||
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
|
||||
publisherName: '<<namePrefix>>-az-amorg-x-001'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-min-001"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 3: Parameters</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module service './Microsoft.ApiManagement/service/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Service'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-az-apim-x-001'
|
||||
publisherEmail: 'apimgmt-noreply@mail.windowsazure.com'
|
||||
publisherName: '<<namePrefix>>-az-amorg-x-001'
|
||||
// Non-required parameters
|
||||
lock: 'CanNotDelete'
|
||||
policies: [
|
||||
{
|
||||
format: 'xml'
|
||||
value: '<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>'
|
||||
}
|
||||
]
|
||||
portalSettings: [
|
||||
{
|
||||
name: 'signin'
|
||||
properties: {
|
||||
enabled: false
|
||||
}
|
||||
}
|
||||
{
|
||||
name: 'signup'
|
||||
properties: {
|
||||
enabled: false
|
||||
termsOfService: {
|
||||
consentRequired: false
|
||||
enabled: false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-apim-x-001"
|
||||
},
|
||||
"publisherEmail": {
|
||||
"value": "apimgmt-noreply@mail.windowsazure.com"
|
||||
},
|
||||
"publisherName": {
|
||||
"value": "<<namePrefix>>-az-amorg-x-001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"policies": {
|
||||
"value": [
|
||||
{
|
||||
"format": "xml",
|
||||
"value": "<policies> <inbound> <rate-limit-by-key calls='250' renewal-period='60' counter-key='@(context.Request.IpAddress)' /> </inbound> <backend> <forward-request /> </backend> <outbound> </outbound> </policies>"
|
||||
}
|
||||
]
|
||||
},
|
||||
"portalSettings": {
|
||||
"value": [
|
||||
{
|
||||
"name": "signin",
|
||||
"properties": {
|
||||
"enabled": false
|
||||
}
|
||||
},
|
||||
{
|
||||
"name": "signup",
|
||||
"properties": {
|
||||
"enabled": false,
|
||||
"termsOfService": {
|
||||
"consentRequired": false,
|
||||
"enabled": false
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,65 +0,0 @@
|
|||
@description('Optional. Determines whether tracing can be enabled.')
|
||||
param allowTracing bool = true
|
||||
|
||||
@description('Conditional. The name of the parent API Management service. Required if the template is used in a standalone deployment.')
|
||||
param apiManagementServiceName string
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. User (user ID path) for whom subscription is being created in form /users/{userId}.')
|
||||
param ownerId string = ''
|
||||
|
||||
@description('Optional. Primary subscription key. If not specified during request key will be generated automatically.')
|
||||
param primaryKey string = ''
|
||||
|
||||
@description('Optional. Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}".')
|
||||
param scope string = '/apis'
|
||||
|
||||
@description('Optional. Secondary subscription key. If not specified during request key will be generated automatically.')
|
||||
param secondaryKey string = ''
|
||||
|
||||
@description('Optional. Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled.')
|
||||
param state string = ''
|
||||
|
||||
@description('Required. Subscription name.')
|
||||
param name string
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource service 'Microsoft.ApiManagement/service@2021-08-01' existing = {
|
||||
name: apiManagementServiceName
|
||||
}
|
||||
|
||||
resource subscription 'Microsoft.ApiManagement/service/subscriptions@2021-08-01' = {
|
||||
name: name
|
||||
parent: service
|
||||
properties: {
|
||||
scope: scope
|
||||
displayName: name
|
||||
ownerId: !empty(ownerId) ? ownerId : null
|
||||
primaryKey: !empty(primaryKey) ? primaryKey : null
|
||||
secondaryKey: !empty(secondaryKey) ? secondaryKey : null
|
||||
state: !empty(state) ? state : null
|
||||
allowTracing: allowTracing
|
||||
}
|
||||
}
|
||||
|
||||
@description('The resource ID of the API management service subscription.')
|
||||
output resourceId string = subscription.id
|
||||
|
||||
@description('The name of the API management service subscription.')
|
||||
output name string = subscription.name
|
||||
|
||||
@description('The resource group the API management service subscription was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,52 +0,0 @@
|
|||
# API Management Subscriptions `[Microsoft.ApiManagement/service/subscriptions]`
|
||||
|
||||
This module deploys API Management Subscriptions.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.ApiManagement/service/subscriptions` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.ApiManagement/2021-08-01/service/subscriptions) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Subscription name. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `apiManagementServiceName` | string | The name of the parent API Management service. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `allowTracing` | bool | `True` | Determines whether tracing can be enabled. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `ownerId` | string | `''` | User (user ID path) for whom subscription is being created in form /users/{userId}. |
|
||||
| `primaryKey` | string | `''` | Primary subscription key. If not specified during request key will be generated automatically. |
|
||||
| `scope` | string | `'/apis'` | Scope type to choose between a product, "allAPIs" or a specific API. Scope like "/products/{productId}" or "/apis" or "/apis/{apiId}". |
|
||||
| `secondaryKey` | string | `''` | Secondary subscription key. If not specified during request key will be generated automatically. |
|
||||
| `state` | string | `''` | Initial subscription state. If no value is specified, subscription is created with Submitted state. Possible states are "*" active "?" the subscription is active, "*" suspended "?" the subscription is blocked, and the subscriber cannot call any APIs of the product, * submitted ? the subscription request has been made by the developer, but has not yet been approved or rejected, * rejected ? the subscription request has been denied by an administrator, * cancelled ? the subscription has been cancelled by the developer or administrator, * expired ? the subscription reached its expiration date and was deactivated. - suspended, active, expired, submitted, rejected, cancelled. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the API management service subscription. |
|
||||
| `resourceGroupName` | string | The resource group the API management service subscription was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the API management service subscription. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,70 +0,0 @@
|
|||
@sys.description('Required. The IDs of the principals to assign the role to.')
|
||||
param principalIds array
|
||||
|
||||
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
|
||||
param roleDefinitionIdOrName string
|
||||
|
||||
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
|
||||
param resourceId string
|
||||
|
||||
@sys.description('Optional. The principal type of the assigned principal ID.')
|
||||
@allowed([
|
||||
'ServicePrincipal'
|
||||
'Group'
|
||||
'User'
|
||||
'ForeignGroup'
|
||||
'Device'
|
||||
''
|
||||
])
|
||||
param principalType string = ''
|
||||
|
||||
@sys.description('Optional. The description of the role assignment.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
|
||||
param condition string = ''
|
||||
|
||||
@sys.description('Optional. Version of the condition.')
|
||||
@allowed([
|
||||
'2.0'
|
||||
])
|
||||
param conditionVersion string = '2.0'
|
||||
|
||||
@sys.description('Optional. Id of the delegated managed identity resource.')
|
||||
param delegatedManagedIdentityResourceId string = ''
|
||||
|
||||
var builtInRoleNames = {
|
||||
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
|
||||
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')
|
||||
'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')
|
||||
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
|
||||
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
|
||||
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
|
||||
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
|
||||
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
|
||||
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
|
||||
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
|
||||
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
|
||||
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
|
||||
}
|
||||
|
||||
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
|
||||
name: last(split(resourceId, '/'))
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
|
||||
name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName)
|
||||
properties: {
|
||||
description: description
|
||||
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
|
||||
principalId: principalId
|
||||
principalType: !empty(principalType) ? any(principalType) : null
|
||||
condition: !empty(condition) ? condition : null
|
||||
conditionVersion: !empty(conditionVersion) && !empty(condition) ? conditionVersion : null
|
||||
delegatedManagedIdentityResourceId: !empty(delegatedManagedIdentityResourceId) ? delegatedManagedIdentityResourceId : null
|
||||
}
|
||||
scope: appConfiguration
|
||||
}]
|
|
@ -1,9 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-min-001"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,69 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-x-001"
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"systemAssignedIdentity": {
|
||||
"value": true
|
||||
},
|
||||
"keyValues": {
|
||||
"value": [
|
||||
{
|
||||
"name": "keyName",
|
||||
"value": "valueName",
|
||||
"contentType": "contentType",
|
||||
"roleAssignments": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
"createMode": {
|
||||
"value": "Default"
|
||||
},
|
||||
"disableLocalAuth": {
|
||||
"value": false
|
||||
},
|
||||
"enablePurgeProtection": {
|
||||
"value": false
|
||||
},
|
||||
"softDeleteRetentionInDays": {
|
||||
"value": 1
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,34 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-pe-001"
|
||||
},
|
||||
"createMode": {
|
||||
"value": "Default"
|
||||
},
|
||||
"disableLocalAuth": {
|
||||
"value": false
|
||||
},
|
||||
"enablePurgeProtection": {
|
||||
"value": false
|
||||
},
|
||||
"softDeleteRetentionInDays": {
|
||||
"value": 1
|
||||
},
|
||||
"privateEndpoints": {
|
||||
"value": [
|
||||
{
|
||||
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints",
|
||||
"service": "configurationStores",
|
||||
"privateDnsZoneGroup": {
|
||||
"privateDNSResourceIds": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
|
||||
]
|
||||
}
|
||||
}
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,244 +0,0 @@
|
|||
@description('Required. Name of the Azure App Configuration.')
|
||||
param name string
|
||||
|
||||
@description('Optional. Location for all Resources.')
|
||||
param location string = resourceGroup().location
|
||||
|
||||
@description('Optional. Enables system assigned managed identity on the resource.')
|
||||
param systemAssignedIdentity bool = false
|
||||
|
||||
@description('Optional. The ID(s) to assign to the resource.')
|
||||
param userAssignedIdentities object = {}
|
||||
|
||||
@allowed([
|
||||
'Free'
|
||||
'Standard'
|
||||
])
|
||||
@description('Optional. Pricing tier of App Configuration.')
|
||||
param sku string = 'Standard'
|
||||
|
||||
@allowed([
|
||||
'Default'
|
||||
'Recover'
|
||||
])
|
||||
@description('Optional. Indicates whether the configuration store need to be recovered.')
|
||||
param createMode string = 'Default'
|
||||
|
||||
@description('Optional. Disables all authentication methods other than AAD authentication.')
|
||||
param disableLocalAuth bool = false
|
||||
|
||||
@description('Optional. Property specifying whether protection against purge is enabled for this configuration store.')
|
||||
param enablePurgeProtection bool = false
|
||||
|
||||
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
|
||||
@allowed([
|
||||
''
|
||||
'Enabled'
|
||||
'Disabled'
|
||||
])
|
||||
param publicNetworkAccess string = ''
|
||||
|
||||
@description('Optional. The amount of time in days that the configuration store will be retained when it is soft deleted.')
|
||||
@minValue(1)
|
||||
@maxValue(7)
|
||||
param softDeleteRetentionInDays int = 1
|
||||
|
||||
@description('Optional. All Key / Values to create.')
|
||||
param keyValues array = []
|
||||
|
||||
@description('Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely.')
|
||||
@minValue(0)
|
||||
@maxValue(365)
|
||||
param diagnosticLogsRetentionInDays int = 365
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic storage account.')
|
||||
param diagnosticStorageAccountId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic log analytics workspace.')
|
||||
param diagnosticWorkspaceId string = ''
|
||||
|
||||
@description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.')
|
||||
param diagnosticEventHubAuthorizationRuleId string = ''
|
||||
|
||||
@description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category.')
|
||||
param diagnosticEventHubName string = ''
|
||||
|
||||
@allowed([
|
||||
''
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Optional. Specify the type of lock.')
|
||||
param lock string = ''
|
||||
|
||||
@description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
|
||||
param roleAssignments array = []
|
||||
|
||||
@description('Optional. Tags of the resource.')
|
||||
param tags object = {}
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. The name of logs that will be streamed.')
|
||||
@allowed([
|
||||
'HttpRequest'
|
||||
'Audit'
|
||||
])
|
||||
param diagnosticLogCategoriesToEnable array = [
|
||||
'HttpRequest'
|
||||
'Audit'
|
||||
]
|
||||
|
||||
@description('Optional. The name of metrics that will be streamed.')
|
||||
@allowed([
|
||||
'AllMetrics'
|
||||
])
|
||||
param diagnosticMetricsToEnable array = [
|
||||
'AllMetrics'
|
||||
]
|
||||
|
||||
@description('Optional. The name of the diagnostic setting, if deployed.')
|
||||
param diagnosticSettingsName string = '${name}-diagnosticSettings'
|
||||
|
||||
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
|
||||
param privateEndpoints array = []
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
var diagnosticsLogs = [for category in diagnosticLogCategoriesToEnable: {
|
||||
category: category
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
var diagnosticsMetrics = [for metric in diagnosticMetricsToEnable: {
|
||||
category: metric
|
||||
timeGrain: null
|
||||
enabled: true
|
||||
retentionPolicy: {
|
||||
enabled: true
|
||||
days: diagnosticLogsRetentionInDays
|
||||
}
|
||||
}]
|
||||
|
||||
var identityType = systemAssignedIdentity ? 'SystemAssigned' : !empty(userAssignedIdentities) ? 'UserAssigned' : 'None'
|
||||
|
||||
var identity = {
|
||||
type: identityType
|
||||
userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null
|
||||
}
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource configurationStore 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' = {
|
||||
name: name
|
||||
location: location
|
||||
tags: tags
|
||||
sku: {
|
||||
name: sku
|
||||
}
|
||||
identity: identity
|
||||
properties: {
|
||||
createMode: createMode
|
||||
disableLocalAuth: disableLocalAuth
|
||||
enablePurgeProtection: sku == 'Free' ? false : enablePurgeProtection
|
||||
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : null
|
||||
softDeleteRetentionInDays: sku == 'Free' ? 0 : softDeleteRetentionInDays
|
||||
}
|
||||
}
|
||||
|
||||
module configurationStore_keyValues 'keyValues/deploy.bicep' = [for (keyValue, index) in keyValues: {
|
||||
name: '${uniqueString(deployment().name, location)}-AppConfig-KeyValues-${index}'
|
||||
params: {
|
||||
appConfigurationName: configurationStore.name
|
||||
name: keyValue.name
|
||||
value: keyValue.value
|
||||
contentType: contains(keyValue, 'contentType') ? keyValue.contentType : ''
|
||||
tags: contains(keyValue, 'tags') ? keyValue.tags : {}
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}]
|
||||
|
||||
resource configurationStore_lock 'Microsoft.Authorization/locks@2017-04-01' = if (!empty(lock)) {
|
||||
name: '${configurationStore.name}-${lock}-lock'
|
||||
properties: {
|
||||
level: any(lock)
|
||||
notes: lock == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
}
|
||||
scope: configurationStore
|
||||
}
|
||||
|
||||
resource configurationStore_diagnosticSettings 'Microsoft.Insights/diagnosticsettings@2021-05-01-preview' = if ((!empty(diagnosticStorageAccountId)) || (!empty(diagnosticWorkspaceId)) || (!empty(diagnosticEventHubAuthorizationRuleId)) || (!empty(diagnosticEventHubName))) {
|
||||
name: diagnosticSettingsName
|
||||
properties: {
|
||||
storageAccountId: !empty(diagnosticStorageAccountId) ? diagnosticStorageAccountId : null
|
||||
workspaceId: !empty(diagnosticWorkspaceId) ? diagnosticWorkspaceId : null
|
||||
eventHubAuthorizationRuleId: !empty(diagnosticEventHubAuthorizationRuleId) ? diagnosticEventHubAuthorizationRuleId : null
|
||||
eventHubName: !empty(diagnosticEventHubName) ? diagnosticEventHubName : null
|
||||
metrics: diagnosticsMetrics
|
||||
logs: diagnosticsLogs
|
||||
}
|
||||
scope: configurationStore
|
||||
}
|
||||
|
||||
module configurationStore_roleAssignments '.bicep/nested_roleAssignments.bicep' = [for (roleAssignment, index) in roleAssignments: {
|
||||
name: '${uniqueString(deployment().name, location)}-AppConfig-Rbac-${index}'
|
||||
params: {
|
||||
description: contains(roleAssignment, 'description') ? roleAssignment.description : ''
|
||||
principalIds: roleAssignment.principalIds
|
||||
principalType: contains(roleAssignment, 'principalType') ? roleAssignment.principalType : ''
|
||||
roleDefinitionIdOrName: roleAssignment.roleDefinitionIdOrName
|
||||
condition: contains(roleAssignment, 'condition') ? roleAssignment.condition : ''
|
||||
delegatedManagedIdentityResourceId: contains(roleAssignment, 'delegatedManagedIdentityResourceId') ? roleAssignment.delegatedManagedIdentityResourceId : ''
|
||||
resourceId: configurationStore.id
|
||||
}
|
||||
}]
|
||||
|
||||
module configurationStore_privateEndpoints '../../Microsoft.Network/privateEndpoints/deploy.bicep' = [for (privateEndpoint, index) in privateEndpoints: {
|
||||
name: '${uniqueString(deployment().name, location)}-AppConfig-PrivateEndpoint-${index}'
|
||||
params: {
|
||||
groupIds: [
|
||||
privateEndpoint.service
|
||||
]
|
||||
name: contains(privateEndpoint, 'name') ? privateEndpoint.name : 'pe-${last(split(configurationStore.id, '/'))}-${privateEndpoint.service}-${index}'
|
||||
serviceResourceId: configurationStore.id
|
||||
subnetResourceId: privateEndpoint.subnetResourceId
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
location: reference(split(privateEndpoint.subnetResourceId, '/subnets/')[0], '2020-06-01', 'Full').location
|
||||
lock: contains(privateEndpoint, 'lock') ? privateEndpoint.lock : lock
|
||||
privateDnsZoneGroup: contains(privateEndpoint, 'privateDnsZoneGroup') ? privateEndpoint.privateDnsZoneGroup : {}
|
||||
roleAssignments: contains(privateEndpoint, 'roleAssignments') ? privateEndpoint.roleAssignments : []
|
||||
tags: contains(privateEndpoint, 'tags') ? privateEndpoint.tags : {}
|
||||
manualPrivateLinkServiceConnections: contains(privateEndpoint, 'manualPrivateLinkServiceConnections') ? privateEndpoint.manualPrivateLinkServiceConnections : []
|
||||
customDnsConfigs: contains(privateEndpoint, 'customDnsConfigs') ? privateEndpoint.customDnsConfigs : []
|
||||
}
|
||||
}]
|
||||
|
||||
@description('The name of the app configuration.')
|
||||
output name string = configurationStore.name
|
||||
|
||||
@description('The resource ID of the app configuration.')
|
||||
output resourceId string = configurationStore.id
|
||||
|
||||
@description('The resource group the app configuration store was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@description('The principal ID of the system assigned identity.')
|
||||
output systemAssignedPrincipalId string = systemAssignedIdentity && contains(configurationStore.identity, 'principalId') ? configurationStore.identity.principalId : ''
|
||||
|
||||
@description('The location the resource was deployed into.')
|
||||
output location string = configurationStore.location
|
|
@ -1,67 +0,0 @@
|
|||
@sys.description('Required. The IDs of the principals to assign the role to.')
|
||||
param principalIds array
|
||||
|
||||
@sys.description('Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead.')
|
||||
param roleDefinitionIdOrName string
|
||||
|
||||
@sys.description('Required. The resource ID of the resource to apply the role assignment to.')
|
||||
param resourceId string
|
||||
|
||||
@sys.description('Optional. The principal type of the assigned principal ID.')
|
||||
@allowed([
|
||||
'ServicePrincipal'
|
||||
'Group'
|
||||
'User'
|
||||
'ForeignGroup'
|
||||
'Device'
|
||||
''
|
||||
])
|
||||
param principalType string = ''
|
||||
|
||||
@sys.description('Optional. The description of the role assignment.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"')
|
||||
param condition string = ''
|
||||
|
||||
@sys.description('Optional. Version of the condition.')
|
||||
@allowed([
|
||||
'2.0'
|
||||
])
|
||||
param conditionVersion string = '2.0'
|
||||
|
||||
@sys.description('Optional. Id of the delegated managed identity resource.')
|
||||
param delegatedManagedIdentityResourceId string = ''
|
||||
|
||||
var builtInRoleNames = {
|
||||
'Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
|
||||
'Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
|
||||
'Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
|
||||
'App Configuration Data Owner': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5ae67dd6-50cb-40e7-96ff-dc2bfa4b606b')
|
||||
'App Configuration Data Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '516239f1-63e1-4d78-a4de-a74fb236a071')
|
||||
'Log Analytics Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')
|
||||
'Log Analytics Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')
|
||||
'Managed Application Contributor Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')
|
||||
'Managed Application Operator Role': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')
|
||||
'Managed Applications Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')
|
||||
'Monitoring Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')
|
||||
'Monitoring Metrics Publisher': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '3913510d-42f4-4e42-8a64-420c390055eb')
|
||||
'Monitoring Reader': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')
|
||||
'Resource Policy Contributor': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')
|
||||
'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')
|
||||
}
|
||||
|
||||
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
|
||||
name: last(split(resourceId, '/'))
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for principalId in principalIds: {
|
||||
name: guid(appConfiguration.id, principalId, roleDefinitionIdOrName)
|
||||
properties: {
|
||||
description: description
|
||||
roleDefinitionId: contains(builtInRoleNames, roleDefinitionIdOrName) ? builtInRoleNames[roleDefinitionIdOrName] : roleDefinitionIdOrName
|
||||
principalId: principalId
|
||||
principalType: !empty(principalType) ? principalType : null
|
||||
}
|
||||
scope: appConfiguration
|
||||
}]
|
|
@ -1,51 +0,0 @@
|
|||
@description('Required. Name of the key.')
|
||||
param name string
|
||||
|
||||
@description('Required. Name of the value.')
|
||||
param value string
|
||||
|
||||
@description('Conditional. The name of the parent app configuration store. Required if the template is used in a standalone deployment.')
|
||||
param appConfigurationName string
|
||||
|
||||
@description('Optional. The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications.')
|
||||
param contentType string = ''
|
||||
|
||||
@description('Optional. Tags of the resource.')
|
||||
param tags object = {}
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).') // update all the descriptions
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource appConfiguration 'Microsoft.AppConfiguration/configurationStores@2021-10-01-preview' existing = {
|
||||
name: appConfigurationName
|
||||
}
|
||||
|
||||
resource keyValues 'Microsoft.AppConfiguration/configurationStores/keyValues@2021-10-01-preview' = {
|
||||
name: name
|
||||
parent: appConfiguration
|
||||
properties: {
|
||||
contentType: contentType
|
||||
tags: tags
|
||||
value: value
|
||||
}
|
||||
}
|
||||
@description('The name of the key values.')
|
||||
output name string = keyValues.name
|
||||
|
||||
@description('The resource ID of the key values.')
|
||||
output resourceId string = keyValues.id
|
||||
|
||||
@description('The resource group the batch account was deployed into.')
|
||||
output resourceGroupName string = resourceGroup().name
|
|
@ -1,182 +0,0 @@
|
|||
# App Configuration `[Microsoft.AppConfiguration/configurationStores/keyValues]`
|
||||
|
||||
This module deploys an App Configuration Store.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Name of the key. |
|
||||
| `value` | string | Name of the value. |
|
||||
|
||||
**Conditional parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `appConfigurationName` | string | The name of the parent app configuration store. Required if the template is used in a standalone deployment. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `contentType` | string | `''` | The content type of the key-values value. Providing a proper content-type can enable transformations of values when they are retrieved by applications. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `tags` | object | `{object}` | Tags of the resource. |
|
||||
|
||||
|
||||
### Parameter Usage: `tags`
|
||||
|
||||
Tag names and tag values can be provided as needed. A tag can be left without a value.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tags": {
|
||||
"value": {
|
||||
"Environment": "Non-Prod",
|
||||
"Contact": "test.user@testcompany.com",
|
||||
"PurchaseOrder": "1234",
|
||||
"CostCenter": "7890",
|
||||
"ServiceName": "DeploymentValidation",
|
||||
"Role": "DeploymentValidation"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tags: {
|
||||
Environment: 'Non-Prod'
|
||||
Contact: 'test.user@testcompany.com'
|
||||
PurchaseOrder: '1234'
|
||||
CostCenter: '7890'
|
||||
ServiceName: 'DeploymentValidation'
|
||||
Role: 'DeploymentValidation'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `userAssignedIdentities`
|
||||
|
||||
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"userAssignedIdentities": {
|
||||
"value": {
|
||||
"/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
|
||||
"/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
userAssignedIdentities: {
|
||||
'/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
|
||||
'/subscriptions/12345678-1234-1234-1234-123456789012/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `roleAssignments`
|
||||
|
||||
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"description": "Reader Role Assignment",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012", // object 1
|
||||
"78945612-1234-1234-1234-123456789012" // object 2
|
||||
]
|
||||
},
|
||||
{
|
||||
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012" // object 1
|
||||
],
|
||||
"principalType": "ServicePrincipal"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
roleAssignments: [
|
||||
{
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
description: 'Reader Role Assignment'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
'78945612-1234-1234-1234-123456789012' // object 2
|
||||
]
|
||||
}
|
||||
{
|
||||
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
]
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the key values. |
|
||||
| `resourceGroupName` | string | The resource group the batch account was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the key values. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.1"
|
||||
}
|
|
@ -1,550 +0,0 @@
|
|||
# App Configuration `[Microsoft.AppConfiguration/configurationStores]`
|
||||
|
||||
This module deploys an App Configuration Store.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.AppConfiguration/configurationStores` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores) |
|
||||
| `Microsoft.AppConfiguration/configurationStores/keyValues` | [2021-10-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.AppConfiguration/2021-10-01-preview/configurationStores/keyValues) |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
| `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
|
||||
| `Microsoft.Network/privateEndpoints` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints) |
|
||||
| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2021-08-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Network/2021-08-01/privateEndpoints/privateDnsZoneGroups) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Name of the Azure App Configuration. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `createMode` | string | `'Default'` | `[Default, Recover]` | Indicates whether the configuration store need to be recovered. |
|
||||
| `diagnosticEventHubAuthorizationRuleId` | string | `''` | | Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to. |
|
||||
| `diagnosticEventHubName` | string | `''` | | Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. |
|
||||
| `diagnosticLogCategoriesToEnable` | array | `[Audit, HttpRequest]` | `[Audit, HttpRequest]` | The name of logs that will be streamed. |
|
||||
| `diagnosticLogsRetentionInDays` | int | `365` | | Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely. |
|
||||
| `diagnosticMetricsToEnable` | array | `[AllMetrics]` | `[AllMetrics]` | The name of metrics that will be streamed. |
|
||||
| `diagnosticSettingsName` | string | `[format('{0}-diagnosticSettings', parameters('name'))]` | | The name of the diagnostic setting, if deployed. |
|
||||
| `diagnosticStorageAccountId` | string | `''` | | Resource ID of the diagnostic storage account. |
|
||||
| `diagnosticWorkspaceId` | string | `''` | | Resource ID of the diagnostic log analytics workspace. |
|
||||
| `disableLocalAuth` | bool | `False` | | Disables all authentication methods other than AAD authentication. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enablePurgeProtection` | bool | `False` | | Property specifying whether protection against purge is enabled for this configuration store. |
|
||||
| `keyValues` | _[keyValues](keyValues/readme.md)_ array | `[]` | | All Key / Values to create. |
|
||||
| `location` | string | `[resourceGroup().location]` | | Location for all Resources. |
|
||||
| `lock` | string | `''` | `['', CanNotDelete, ReadOnly]` | Specify the type of lock. |
|
||||
| `privateEndpoints` | array | `[]` | | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
|
||||
| `publicNetworkAccess` | string | `''` | `['', Disabled, Enabled]` | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
|
||||
| `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
|
||||
| `sku` | string | `'Standard'` | `[Free, Standard]` | Pricing tier of App Configuration. |
|
||||
| `softDeleteRetentionInDays` | int | `1` | | The amount of time in days that the configuration store will be retained when it is soft deleted. |
|
||||
| `systemAssignedIdentity` | bool | `False` | | Enables system assigned managed identity on the resource. |
|
||||
| `tags` | object | `{object}` | | Tags of the resource. |
|
||||
| `userAssignedIdentities` | object | `{object}` | | The ID(s) to assign to the resource. |
|
||||
|
||||
|
||||
### Parameter Usage: `tags`
|
||||
|
||||
Tag names and tag values can be provided as needed. A tag can be left without a value.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"tags": {
|
||||
"value": {
|
||||
"Environment": "Non-Prod",
|
||||
"Contact": "test.user@testcompany.com",
|
||||
"PurchaseOrder": "1234",
|
||||
"CostCenter": "7890",
|
||||
"ServiceName": "DeploymentValidation",
|
||||
"Role": "DeploymentValidation"
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
tags: {
|
||||
Environment: 'Non-Prod'
|
||||
Contact: 'test.user@testcompany.com'
|
||||
PurchaseOrder: '1234'
|
||||
CostCenter: '7890'
|
||||
ServiceName: 'DeploymentValidation'
|
||||
Role: 'DeploymentValidation'
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `userAssignedIdentities`
|
||||
|
||||
You can specify multiple user assigned identities to a resource by providing additional resource IDs using the following format:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"userAssignedIdentities": {
|
||||
"value": {
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001": {},
|
||||
"/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002": {}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
userAssignedIdentities: {
|
||||
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-001': {}
|
||||
'/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-sxx-az-msi-x-002': {}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `roleAssignments`
|
||||
|
||||
Create a role assignment for the given resource. If you want to assign a service principal / managed identity that is created in the same deployment, make sure to also specify the `'principalType'` parameter and set it to `'ServicePrincipal'`. This will ensure the role assignment waits for the principal's propagation in Azure.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"roleDefinitionIdOrName": "Reader",
|
||||
"description": "Reader Role Assignment",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012", // object 1
|
||||
"78945612-1234-1234-1234-123456789012" // object 2
|
||||
]
|
||||
},
|
||||
{
|
||||
"roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11",
|
||||
"principalIds": [
|
||||
"12345678-1234-1234-1234-123456789012" // object 1
|
||||
],
|
||||
"principalType": "ServicePrincipal"
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
roleAssignments: [
|
||||
{
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
description: 'Reader Role Assignment'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
'78945612-1234-1234-1234-123456789012' // object 2
|
||||
]
|
||||
}
|
||||
{
|
||||
roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'
|
||||
principalIds: [
|
||||
'12345678-1234-1234-1234-123456789012' // object 1
|
||||
]
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `privateEndpoints`
|
||||
|
||||
To use Private Endpoint the following dependencies must be deployed:
|
||||
|
||||
- Destination subnet must be created with the following configuration option - `"privateEndpointNetworkPolicies": "Disabled"`. Setting this option acknowledges that NSG rules are not applied to Private Endpoints (this capability is coming soon). A full example is available in the Virtual Network Module.
|
||||
- Although not strictly required, it is highly recommended to first create a private DNS Zone to host Private Endpoint DNS records. See [Azure Private Endpoint DNS configuration](https://docs.microsoft.com/en-us/azure/private-link/private-endpoint-dns) for more information.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"privateEndpoints": {
|
||||
"value": [
|
||||
// Example showing all available fields
|
||||
{
|
||||
"name": "sxx-az-pe", // Optional: Name will be automatically generated if one is not provided here
|
||||
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
|
||||
"service": "<serviceName>", // e.g. vault, registry, blob
|
||||
"privateDnsZoneGroup": {
|
||||
"privateDNSResourceIds": [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/<privateDnsZoneName>" // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net
|
||||
]
|
||||
},
|
||||
"customDnsConfigs": [ // Optional
|
||||
{
|
||||
"fqdn": "customname.test.local",
|
||||
"ipAddresses": [
|
||||
"10.10.10.10"
|
||||
]
|
||||
}
|
||||
]
|
||||
},
|
||||
// Example showing only mandatory fields
|
||||
{
|
||||
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001",
|
||||
"service": "<serviceName>" // e.g. vault, registry, blob
|
||||
}
|
||||
]
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
privateEndpoints: [
|
||||
// Example showing all available fields
|
||||
{
|
||||
name: 'sxx-az-pe' // Optional: Name will be automatically generated if one is not provided here
|
||||
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
|
||||
service: '<serviceName>' // e.g. vault, registry, blob
|
||||
privateDnsZoneGroups: {
|
||||
privateDNSResourceIds: [ // Optional: No DNS record will be created if a private DNS zone Resource ID is not specified
|
||||
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/<privateDnsZoneName>' // e.g. privatelink.vaultcore.azure.net, privatelink.azurecr.io, privatelink.blob.core.windows.net
|
||||
]
|
||||
}
|
||||
// Optional
|
||||
customDnsConfigs: [
|
||||
{
|
||||
fqdn: 'customname.test.local'
|
||||
ipAddresses: [
|
||||
'10.10.10.10'
|
||||
]
|
||||
}
|
||||
]
|
||||
}
|
||||
// Example showing only mandatory fields
|
||||
{
|
||||
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/sxx-az-vnet-x-001/subnets/sxx-az-subnet-x-001'
|
||||
service: '<serviceName>' // e.g. vault, registry, blob
|
||||
}
|
||||
]
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | The name of the app configuration. |
|
||||
| `resourceGroupName` | string | The resource group the app configuration store was deployed into. |
|
||||
| `resourceId` | string | The resource ID of the app configuration. |
|
||||
| `systemAssignedPrincipalId` | string | The principal ID of the system assigned identity. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
This section gives you an overview of all local-referenced module files (i.e., other CARML modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs).
|
||||
|
||||
| Reference | Type |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Network/privateEndpoints` | Local reference |
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-ConfigurationStores'
|
||||
params: {
|
||||
name: '<<namePrefix>>-az-appc-min-001'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-min-001"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 2: Parameters</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-ConfigurationStores'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-az-appc-x-001'
|
||||
// Non-required parameters
|
||||
createMode: 'Default'
|
||||
diagnosticEventHubAuthorizationRuleId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey'
|
||||
diagnosticEventHubName: 'adp-<<namePrefix>>-az-evh-x-001'
|
||||
diagnosticLogsRetentionInDays: 7
|
||||
diagnosticStorageAccountId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001'
|
||||
diagnosticWorkspaceId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001'
|
||||
disableLocalAuth: false
|
||||
enablePurgeProtection: false
|
||||
keyValues: [
|
||||
{
|
||||
contentType: 'contentType'
|
||||
name: 'keyName'
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
value: 'valueName'
|
||||
}
|
||||
]
|
||||
lock: 'CanNotDelete'
|
||||
roleAssignments: [
|
||||
{
|
||||
principalIds: [
|
||||
'<<deploymentSpId>>'
|
||||
]
|
||||
roleDefinitionIdOrName: 'Reader'
|
||||
}
|
||||
]
|
||||
softDeleteRetentionInDays: 1
|
||||
systemAssignedIdentity: true
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-x-001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"createMode": {
|
||||
"value": "Default"
|
||||
},
|
||||
"diagnosticEventHubAuthorizationRuleId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.EventHub/namespaces/adp-<<namePrefix>>-az-evhns-x-001/AuthorizationRules/RootManageSharedAccessKey"
|
||||
},
|
||||
"diagnosticEventHubName": {
|
||||
"value": "adp-<<namePrefix>>-az-evh-x-001"
|
||||
},
|
||||
"diagnosticLogsRetentionInDays": {
|
||||
"value": 7
|
||||
},
|
||||
"diagnosticStorageAccountId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Storage/storageAccounts/adp<<namePrefix>>azsax001"
|
||||
},
|
||||
"diagnosticWorkspaceId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/microsoft.operationalinsights/workspaces/adp-<<namePrefix>>-az-law-x-001"
|
||||
},
|
||||
"disableLocalAuth": {
|
||||
"value": false
|
||||
},
|
||||
"enablePurgeProtection": {
|
||||
"value": false
|
||||
},
|
||||
"keyValues": {
|
||||
"value": [
|
||||
{
|
||||
"contentType": "contentType",
|
||||
"name": "keyName",
|
||||
"roleAssignments": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
],
|
||||
"value": "valueName"
|
||||
}
|
||||
]
|
||||
},
|
||||
"lock": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"roleAssignments": {
|
||||
"value": [
|
||||
{
|
||||
"principalIds": [
|
||||
"<<deploymentSpId>>"
|
||||
],
|
||||
"roleDefinitionIdOrName": "Reader"
|
||||
}
|
||||
]
|
||||
},
|
||||
"softDeleteRetentionInDays": {
|
||||
"value": 1
|
||||
},
|
||||
"systemAssignedIdentity": {
|
||||
"value": true
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 3: Pe</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module configurationStores './Microsoft.AppConfiguration/configurationStores/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-ConfigurationStores'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-az-appc-pe-001'
|
||||
// Non-required parameters
|
||||
createMode: 'Default'
|
||||
disableLocalAuth: false
|
||||
enablePurgeProtection: false
|
||||
privateEndpoints: [
|
||||
{
|
||||
privateDnsZoneGroup: {
|
||||
privateDNSResourceIds: [
|
||||
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io'
|
||||
]
|
||||
}
|
||||
service: 'configurationStores'
|
||||
subnetResourceId: '/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints'
|
||||
}
|
||||
]
|
||||
softDeleteRetentionInDays: 1
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-az-appc-pe-001"
|
||||
},
|
||||
// Non-required parameters
|
||||
"createMode": {
|
||||
"value": "Default"
|
||||
},
|
||||
"disableLocalAuth": {
|
||||
"value": false
|
||||
},
|
||||
"enablePurgeProtection": {
|
||||
"value": false
|
||||
},
|
||||
"privateEndpoints": {
|
||||
"value": [
|
||||
{
|
||||
"privateDnsZoneGroup": {
|
||||
"privateDNSResourceIds": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/privateDnsZones/privatelink.azconfig.io"
|
||||
]
|
||||
},
|
||||
"service": "configurationStores",
|
||||
"subnetResourceId": "/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.Network/virtualNetworks/adp-<<namePrefix>>-az-vnet-x-001/subnets/<<namePrefix>>-az-subnet-x-005-privateEndpoints"
|
||||
}
|
||||
]
|
||||
},
|
||||
"softDeleteRetentionInDays": {
|
||||
"value": 1
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.3"
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"level": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
"resourceGroupName": {
|
||||
"value": "adp-<<namePrefix>>-az-locks-rg-001"
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,69 +0,0 @@
|
|||
targetScope = 'subscription'
|
||||
|
||||
@allowed([
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Required. Set lock level.')
|
||||
param level string
|
||||
|
||||
@description('Optional. The decription attached to the lock.')
|
||||
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
@description('Optional. Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group.')
|
||||
param resourceGroupName string = ''
|
||||
|
||||
@description('Optional. Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription.')
|
||||
param subscriptionId string = subscription().id
|
||||
|
||||
@sys.description('Optional. Location for all resources.')
|
||||
param location string = deployment().location
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
location: location
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module lock_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) {
|
||||
name: '${uniqueString(deployment().name, location)}-Lock-Sub-Module'
|
||||
scope: subscription(subscriptionId)
|
||||
params: {
|
||||
name: '${subscription().displayName}-${level}-lock'
|
||||
level: level
|
||||
notes: notes
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}
|
||||
|
||||
module lock_rg 'resourceGroup/deploy.bicep' = if (!empty(subscriptionId) && !empty(resourceGroupName)) {
|
||||
name: '${uniqueString(deployment().name, location)}-Lock-RG-Module'
|
||||
scope: resourceGroup(subscriptionId, resourceGroupName)
|
||||
params: {
|
||||
name: '${resourceGroupName}-${level}-lock'
|
||||
level: level
|
||||
notes: notes
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}
|
||||
|
||||
@description('The name of the lock.')
|
||||
output name string = empty(resourceGroupName) ? lock_sub.outputs.name : lock_rg.outputs.name
|
||||
|
||||
@description('The resource ID of the lock.')
|
||||
output resourceId string = empty(resourceGroupName) ? lock_sub.outputs.resourceId : lock_rg.outputs.resourceId
|
||||
|
||||
@sys.description('The scope this lock applies to.')
|
||||
output scope string = empty(resourceGroupName) ? lock_sub.outputs.scope : lock_rg.outputs.scope
|
|
@ -1,102 +0,0 @@
|
|||
# Authorization Locks `[Microsoft.Authorization/locks]`
|
||||
|
||||
This module deploys Authorization Locks.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `location` | string | `[deployment().location]` | Location for all resources. |
|
||||
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
|
||||
| `resourceGroupName` | string | `''` | Name of the Resource Group to assign the lock to. If Resource Group name is provided, and Subscription ID is provided, the module deploys at resource group level, therefore assigns the provided lock to the resource group. |
|
||||
| `subscriptionId` | string | `[subscription().id]` | Subscription ID of the subscription to assign the lock to. If not provided, will use the current scope for deployment. If no resource group name is provided, the module deploys at subscription level, therefore assigns the provided locks to the subscription. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the lock. |
|
||||
| `resourceId` | string | The resource ID of the lock. |
|
||||
| `scope` | string | The scope this lock applies to. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Rg</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module locks './Microsoft.Authorization/locks/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-Locks'
|
||||
params: {
|
||||
// Required parameters
|
||||
level: 'CanNotDelete'
|
||||
// Non-required parameters
|
||||
resourceGroupName: 'adp-<<namePrefix>>-az-locks-rg-001'
|
||||
subscriptionId: '<<subscriptionId>>'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"level": {
|
||||
"value": "CanNotDelete"
|
||||
},
|
||||
// Non-required parameters
|
||||
"resourceGroupName": {
|
||||
"value": "adp-<<namePrefix>>-az-locks-rg-001"
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,49 +0,0 @@
|
|||
targetScope = 'resourceGroup'
|
||||
|
||||
@description('Optional. The name of the lock.')
|
||||
param name string = '${level}-lock'
|
||||
|
||||
@allowed([
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Required. Set lock level.')
|
||||
param level string
|
||||
|
||||
@description('Optional. The decription attached to the lock.')
|
||||
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource lock 'Microsoft.Authorization/locks@2017-04-01' = {
|
||||
name: name
|
||||
properties: {
|
||||
level: level
|
||||
notes: notes
|
||||
}
|
||||
}
|
||||
|
||||
@description('The name of the lock.')
|
||||
output name string = lock.name
|
||||
|
||||
@description('The resource ID of the lock.')
|
||||
output resourceId string = lock.id
|
||||
|
||||
@description('The name of the resource group name the lock was applied to.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@sys.description('The scope this lock applies to.')
|
||||
output scope string = resourceGroup().id
|
|
@ -1,44 +0,0 @@
|
|||
# Authorization Locks on Resource Group level `[Microsoft.Authorization/locks/resourceGroup]`
|
||||
|
||||
This module deploys Authorization Locks on Resource Group level.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. |
|
||||
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the lock. |
|
||||
| `resourceGroupName` | string | The name of the resource group name the lock was applied to. |
|
||||
| `resourceId` | string | The resource ID of the lock. |
|
||||
| `scope` | string | The scope this lock applies to. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.1"
|
||||
}
|
|
@ -1,49 +0,0 @@
|
|||
targetScope = 'subscription'
|
||||
|
||||
@description('Optional. The name of the lock.')
|
||||
param name string = '${level}-lock'
|
||||
|
||||
@allowed([
|
||||
'CanNotDelete'
|
||||
'ReadOnly'
|
||||
])
|
||||
@description('Required. Set lock level.')
|
||||
param level string
|
||||
|
||||
@description('Optional. The decription attached to the lock.')
|
||||
param notes string = level == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot modify the resource or child resources.'
|
||||
|
||||
@description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource lock 'Microsoft.Authorization/locks@2017-04-01' = {
|
||||
name: name
|
||||
properties: {
|
||||
level: level
|
||||
notes: notes
|
||||
}
|
||||
}
|
||||
|
||||
@description('The name of the lock.')
|
||||
output name string = lock.name
|
||||
|
||||
@description('The resource ID of the lock.')
|
||||
output resourceId string = lock.id
|
||||
|
||||
@description('The subscription name the lock was deployed into.')
|
||||
output subscriptionName string = subscription().displayName
|
||||
|
||||
@sys.description('The scope this lock applies to.')
|
||||
output scope string = subscription().id
|
|
@ -1,44 +0,0 @@
|
|||
# Authorization Locks on Subscription level `[Microsoft.Authorization/locks/subscription]`
|
||||
|
||||
This module deploys Authorization Locks on Subscription level.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/locks` | [2017-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2017-04-01/locks) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `level` | string | `[CanNotDelete, ReadOnly]` | Set lock level. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Description |
|
||||
| :-- | :-- | :-- | :-- |
|
||||
| `enableDefaultTelemetry` | bool | `True` | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `name` | string | `[format('{0}-lock', parameters('level'))]` | The name of the lock. |
|
||||
| `notes` | string | `[if(equals(parameters('level'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]` | The decription attached to the lock. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | The name of the lock. |
|
||||
| `resourceId` | string | The resource ID of the lock. |
|
||||
| `scope` | string | The scope this lock applies to. |
|
||||
| `subscriptionName` | string | The subscription name the lock was deployed into. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.1"
|
||||
}
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.1"
|
||||
}
|
|
@ -1,12 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-mg-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,63 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-mg-polAss"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the management group scope"
|
||||
},
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the management group scope"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
|
||||
]
|
||||
},
|
||||
"identity": {
|
||||
"value": "SystemAssigned"
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
},
|
||||
"managementGroupId": {
|
||||
"value": "<<managementGroupId>>"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,18 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-rg-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
},
|
||||
"resourceGroupName": {
|
||||
"value": "validation-rg"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,69 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-rg-polAss"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the resource group scope"
|
||||
},
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the resource group scope"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
]
|
||||
},
|
||||
"identity": {
|
||||
"value": "UserAssigned"
|
||||
},
|
||||
"userAssignedIdentityId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
},
|
||||
"resourceGroupName": {
|
||||
"value": "validation-rg"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,15 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-sub-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,66 +0,0 @@
|
|||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-sub-polAss"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the subscription scope"
|
||||
},
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the subscription scope"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
|
||||
]
|
||||
},
|
||||
"identity": {
|
||||
"value": "UserAssigned"
|
||||
},
|
||||
"userAssignedIdentityId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
|
@ -1,155 +0,0 @@
|
|||
targetScope = 'managementGroup'
|
||||
|
||||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes.')
|
||||
param name string
|
||||
|
||||
@sys.description('Optional. This message will be part of response in case of policy violation.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
|
||||
@maxLength(128)
|
||||
param displayName string = ''
|
||||
|
||||
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
|
||||
param policyDefinitionId string
|
||||
|
||||
@sys.description('Optional. Parameters for the policy assignment if needed.')
|
||||
param parameters object = {}
|
||||
|
||||
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
|
||||
@allowed([
|
||||
'SystemAssigned'
|
||||
'UserAssigned'
|
||||
'None'
|
||||
])
|
||||
param identity string = 'SystemAssigned'
|
||||
|
||||
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
|
||||
param userAssignedIdentityId string = ''
|
||||
|
||||
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
|
||||
param roleDefinitionIds array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
|
||||
param metadata object = {}
|
||||
|
||||
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
|
||||
param nonComplianceMessages array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
|
||||
@allowed([
|
||||
'Default'
|
||||
'DoNotEnforce'
|
||||
])
|
||||
param enforcementMode string = 'Default'
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.')
|
||||
param managementGroupId string = managementGroup().name
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment.')
|
||||
param subscriptionId string = ''
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment.')
|
||||
param resourceGroupName string = ''
|
||||
|
||||
@sys.description('Optional. The policy excluded scopes.')
|
||||
param notScopes array = []
|
||||
|
||||
@sys.description('Optional. Location for all resources.')
|
||||
param location string = deployment().location
|
||||
|
||||
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
var enableReferencedModulesTelemetry = false
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
location: location
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
module policyAssignment_mg 'managementGroup/deploy.bicep' = if (empty(subscriptionId) && empty(resourceGroupName)) {
|
||||
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-MG-Module'
|
||||
scope: managementGroup(managementGroupId)
|
||||
params: {
|
||||
name: name
|
||||
policyDefinitionId: policyDefinitionId
|
||||
displayName: !empty(displayName) ? displayName : ''
|
||||
description: !empty(description) ? description : ''
|
||||
parameters: !empty(parameters) ? parameters : {}
|
||||
identity: identity
|
||||
userAssignedIdentityId: userAssignedIdentityId
|
||||
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
|
||||
metadata: !empty(metadata) ? metadata : {}
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
managementGroupId: managementGroupId
|
||||
location: location
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}
|
||||
|
||||
module policyAssignment_sub 'subscription/deploy.bicep' = if (!empty(subscriptionId) && empty(resourceGroupName)) {
|
||||
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-Sub-Module'
|
||||
scope: subscription(subscriptionId)
|
||||
params: {
|
||||
name: name
|
||||
policyDefinitionId: policyDefinitionId
|
||||
displayName: !empty(displayName) ? displayName : ''
|
||||
description: !empty(description) ? description : ''
|
||||
parameters: !empty(parameters) ? parameters : {}
|
||||
identity: identity
|
||||
userAssignedIdentityId: userAssignedIdentityId
|
||||
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
|
||||
metadata: !empty(metadata) ? metadata : {}
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
subscriptionId: subscriptionId
|
||||
location: location
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}
|
||||
|
||||
module policyAssignment_rg 'resourceGroup/deploy.bicep' = if (!empty(resourceGroupName) && !empty(subscriptionId)) {
|
||||
name: '${uniqueString(deployment().name, location)}-PolicyAssignment-RG-Module'
|
||||
scope: resourceGroup(subscriptionId, resourceGroupName)
|
||||
params: {
|
||||
name: name
|
||||
policyDefinitionId: policyDefinitionId
|
||||
displayName: !empty(displayName) ? displayName : ''
|
||||
description: !empty(description) ? description : ''
|
||||
parameters: !empty(parameters) ? parameters : {}
|
||||
identity: identity
|
||||
userAssignedIdentityId: userAssignedIdentityId
|
||||
roleDefinitionIds: !empty(roleDefinitionIds) ? roleDefinitionIds : []
|
||||
metadata: !empty(metadata) ? metadata : {}
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
subscriptionId: subscriptionId
|
||||
location: location
|
||||
enableDefaultTelemetry: enableReferencedModulesTelemetry
|
||||
}
|
||||
}
|
||||
|
||||
@sys.description('Policy Assignment Name.')
|
||||
output name string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.name : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.name : policyAssignment_rg.outputs.name)
|
||||
|
||||
@sys.description('Policy Assignment principal ID.')
|
||||
output principalId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.principalId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.principalId : policyAssignment_rg.outputs.principalId)
|
||||
|
||||
@sys.description('Policy Assignment resource ID.')
|
||||
output resourceId string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.resourceId : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.resourceId : policyAssignment_rg.outputs.resourceId)
|
||||
|
||||
@sys.description('The location the resource was deployed into.')
|
||||
output location string = empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_mg.outputs.location : (!empty(subscriptionId) && empty(resourceGroupName) ? policyAssignment_sub.outputs.location : policyAssignment_rg.outputs.location)
|
|
@ -1,116 +0,0 @@
|
|||
targetScope = 'managementGroup'
|
||||
|
||||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope.')
|
||||
@maxLength(24)
|
||||
param name string
|
||||
|
||||
@sys.description('Optional. This message will be part of response in case of policy violation.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
|
||||
@maxLength(128)
|
||||
param displayName string = ''
|
||||
|
||||
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
|
||||
param policyDefinitionId string
|
||||
|
||||
@sys.description('Optional. Parameters for the policy assignment if needed.')
|
||||
param parameters object = {}
|
||||
|
||||
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
|
||||
@allowed([
|
||||
'SystemAssigned'
|
||||
'UserAssigned'
|
||||
'None'
|
||||
])
|
||||
param identity string = 'SystemAssigned'
|
||||
|
||||
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
|
||||
param userAssignedIdentityId string = ''
|
||||
|
||||
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
|
||||
param roleDefinitionIds array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
|
||||
param metadata object = {}
|
||||
|
||||
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
|
||||
param nonComplianceMessages array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
|
||||
@allowed([
|
||||
'Default'
|
||||
'DoNotEnforce'
|
||||
])
|
||||
param enforcementMode string = 'Default'
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment.')
|
||||
param managementGroupId string = managementGroup().name
|
||||
|
||||
@sys.description('Optional. The policy excluded scopes.')
|
||||
param notScopes array = []
|
||||
|
||||
@sys.description('Optional. Location for all resources.')
|
||||
param location string = deployment().location
|
||||
|
||||
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
var identity_var = identity == 'SystemAssigned' ? {
|
||||
type: identity
|
||||
} : identity == 'UserAssigned' ? {
|
||||
type: identity
|
||||
userAssignedIdentities: {
|
||||
'${userAssignedIdentityId}': {}
|
||||
}
|
||||
} : null
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
location: location
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
|
||||
name: name
|
||||
location: location
|
||||
properties: {
|
||||
displayName: !empty(displayName) ? displayName : null
|
||||
metadata: !empty(metadata) ? metadata : null
|
||||
description: !empty(description) ? description : null
|
||||
policyDefinitionId: policyDefinitionId
|
||||
parameters: parameters
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
}
|
||||
identity: identity_var
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
|
||||
name: guid(managementGroupId, roleDefinitionId, location, name)
|
||||
properties: {
|
||||
roleDefinitionId: roleDefinitionId
|
||||
principalId: policyAssignment.identity.principalId
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
}]
|
||||
|
||||
@sys.description('Policy Assignment Name.')
|
||||
output name string = policyAssignment.name
|
||||
|
||||
@sys.description('Policy Assignment principal ID.')
|
||||
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
|
||||
|
||||
@sys.description('Policy Assignment resource ID.')
|
||||
output resourceId string = extensionResourceId(tenantResourceId('Microsoft.Management/managementGroups', managementGroupId), 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
|
||||
|
||||
@sys.description('The location the resource was deployed into.')
|
||||
output location string = policyAssignment.location
|
|
@ -1,56 +0,0 @@
|
|||
# Policy Assignment on Management Group level `[Microsoft.Authorization/policyAssignments/managementGroup]`
|
||||
|
||||
With this module you can perform policy assignments on a management group level.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope. |
|
||||
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
|
||||
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
|
||||
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
|
||||
| `location` | string | `[deployment().location]` | | Location for all resources. |
|
||||
| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. |
|
||||
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
|
||||
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
|
||||
| `notScopes` | array | `[]` | | The policy excluded scopes. |
|
||||
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
|
||||
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
|
||||
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | Policy Assignment Name. |
|
||||
| `principalId` | string | Policy Assignment principal ID. |
|
||||
| `resourceId` | string | Policy Assignment resource ID. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,711 +0,0 @@
|
|||
# Policy Assignments `[Microsoft.Authorization/policyAssignments]`
|
||||
|
||||
With this module you can perform policy assignments across the management group, subscription or resource group scope.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource types](#Resource-types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Module Usage Guidance](#Module-Usage-Guidance)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
- [Deployment examples](#Deployment-examples)
|
||||
|
||||
## Resource types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Specifies the name of the policy assignment. Maximum length is 24 characters for management group scope, 64 characters for subscription and resource group scopes. |
|
||||
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
|
||||
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
|
||||
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
|
||||
| `location` | string | `[deployment().location]` | | Location for all resources. |
|
||||
| `managementGroupId` | string | `[managementGroup().name]` | | The Target Scope for the Policy. The name of the management group for the policy assignment. If not provided, will use the current scope for deployment. |
|
||||
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
|
||||
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
|
||||
| `notScopes` | array | `[]` | | The policy excluded scopes. |
|
||||
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
|
||||
| `resourceGroupName` | string | `''` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. |
|
||||
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
|
||||
| `subscriptionId` | string | `''` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. |
|
||||
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
|
||||
|
||||
|
||||
### Parameter Usage: `managementGroupId`
|
||||
|
||||
To deploy resource to a Management Group, provide the `managementGroupId` as an input parameter to the module.
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"managementGroupId": {
|
||||
"value": "contoso-group"
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
managementGroupId: 'contoso-group'
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
> `managementGroupId` is an optional parameter. If not provided, the deployment will use the management group defined in the current deployment scope (i.e. `managementGroup().name`).
|
||||
|
||||
### Parameter Usage: `subscriptionId`
|
||||
|
||||
To deploy resource to an Azure Subscription, provide the `subscriptionId` as an input parameter to the module. **Example**:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"subscriptionId": {
|
||||
"value": "12345678-b049-471c-95af-123456789012"
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
subscriptionId: '12345678-b049-471c-95af-123456789012'
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
### Parameter Usage: `resourceGroupName`
|
||||
|
||||
To deploy resource to a Resource Group, provide the `subscriptionId` and `resourceGroupName` as an input parameter to the module. **Example**:
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Parameter JSON format</summary>
|
||||
|
||||
```json
|
||||
"subscriptionId": {
|
||||
"value": "12345678-b049-471c-95af-123456789012"
|
||||
},
|
||||
"resourceGroupName": {
|
||||
"value": "target-resourceGroup"
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
|
||||
|
||||
<details>
|
||||
|
||||
<summary>Bicep format</summary>
|
||||
|
||||
```bicep
|
||||
subscriptionId: '12345678-b049-471c-95af-123456789012'
|
||||
resourceGroupName: 'target-resourceGroup'
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
> The `subscriptionId` is used to enable deployment to a Resource Group Scope, allowing the use of the `resourceGroup()` function from a Management Group Scope. [Additional Details](https://github.com/Azure/bicep/pull/1420).
|
||||
|
||||
## Module Usage Guidance
|
||||
|
||||
In general, most of the resources under the `Microsoft.Authorization` namespace allows deploying resources at multiple scopes (management groups, subscriptions, resource groups). The `deploy.bicep` root module is simply an orchestrator module that targets sub-modules for different scopes as seen in the parameter usage section. All sub-modules for this namespace have folders that represent the target scope. For example, if the orchestrator module in the [root](deploy.bicep) needs to target 'subscription' level scopes. It will look at the relative path ['/subscription/deploy.bicep'](./subscription/deploy.bicep) and use this sub-module for the actual deployment, while still passing the same parameters from the root module.
|
||||
|
||||
The above method is useful when you want to use a single point to interact with the module but rely on parameter combinations to achieve the target scope. But what if you want to incorporate this module in other modules with lower scopes? This would force you to deploy the module in scope `managementGroup` regardless and further require you to provide its ID with it. If you do not set the scope to management group, this would be the error that you can expect to face:
|
||||
|
||||
```bicep
|
||||
Error BCP134: Scope "subscription" is not valid for this module. Permitted scopes: "managementGroup"
|
||||
```
|
||||
|
||||
The solution is to have the option of directly targeting the sub-module that achieves the required scope. For example, if you have your own Bicep file wanting to create resources at the subscription level, and also use some of the modules from the `Microsoft.Authorization` namespace, then you can directly use the sub-module ['/subscription/deploy.bicep'](./subscription/deploy.bicep) as a path within your repository, or reference that same published module from the bicep registry. CARML also published the sub-modules so you would be able to reference it like the following:
|
||||
|
||||
**Bicep Registry Reference**
|
||||
```bicep
|
||||
module policyassignment 'br:bicepregistry.azurecr.io/bicep/modules/microsoft.authorization.policyassignments.subscription:version' = {}
|
||||
```
|
||||
**Local Path Reference**
|
||||
```bicep
|
||||
module policyassignment 'yourpath/modules/Microsoft.Authorization.policyAssignments/subscription/deploy.bicep' = {}
|
||||
```
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | Policy Assignment Name. |
|
||||
| `principalId` | string | Policy Assignment principal ID. |
|
||||
| `resourceId` | string | Policy Assignment resource ID. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
||||
|
||||
## Deployment examples
|
||||
|
||||
The following module usage examples are retrieved from the content of the files hosted in the module's `.test` folder.
|
||||
>**Note**: The name of each example is based on the name of the file from which it is taken.
|
||||
|
||||
>**Note**: Each example lists all the required parameters first, followed by the rest - each in alphabetical order.
|
||||
|
||||
<h3>Example 1: Mg Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-min-mg-polAss'
|
||||
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-mg-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 2: Mg</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-mg-polAss'
|
||||
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
|
||||
// Non-required parameters
|
||||
description: '[Description] Policy Assignment at the management group scope'
|
||||
displayName: '[Display Name] Policy Assignment at the management group scope'
|
||||
enforcementMode: 'DoNotEnforce'
|
||||
identity: 'SystemAssigned'
|
||||
location: 'australiaeast'
|
||||
managementGroupId: '<<managementGroupId>>'
|
||||
metadata: {
|
||||
category: 'Security'
|
||||
version: '1.0'
|
||||
}
|
||||
nonComplianceMessages: [
|
||||
{
|
||||
message: 'Violated Policy Assignment - This is a Non Compliance Message'
|
||||
}
|
||||
]
|
||||
notScopes: [
|
||||
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg'
|
||||
]
|
||||
parameters: {
|
||||
tagName: {
|
||||
value: 'env'
|
||||
}
|
||||
tagValue: {
|
||||
value: 'prod'
|
||||
}
|
||||
}
|
||||
roleDefinitionIds: [
|
||||
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
|
||||
]
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-mg-polAss"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
// Non-required parameters
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the management group scope"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the management group scope"
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"identity": {
|
||||
"value": "SystemAssigned"
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"managementGroupId": {
|
||||
"value": "<<managementGroupId>>"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 3: Rg Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-min-rg-polAss'
|
||||
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
|
||||
// Non-required parameters
|
||||
resourceGroupName: 'validation-rg'
|
||||
subscriptionId: '<<subscriptionId>>'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-rg-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
},
|
||||
// Non-required parameters
|
||||
"resourceGroupName": {
|
||||
"value": "validation-rg"
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 4: Rg</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-rg-polAss'
|
||||
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
|
||||
// Non-required parameters
|
||||
description: '[Description] Policy Assignment at the resource group scope'
|
||||
displayName: '[Display Name] Policy Assignment at the resource group scope'
|
||||
enforcementMode: 'DoNotEnforce'
|
||||
identity: 'UserAssigned'
|
||||
location: 'australiaeast'
|
||||
metadata: {
|
||||
category: 'Security'
|
||||
version: '1.0'
|
||||
}
|
||||
nonComplianceMessages: [
|
||||
{
|
||||
message: 'Violated Policy Assignment - This is a Non Compliance Message'
|
||||
}
|
||||
]
|
||||
notScopes: [
|
||||
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001'
|
||||
]
|
||||
parameters: {
|
||||
tagName: {
|
||||
value: 'env'
|
||||
}
|
||||
tagValue: {
|
||||
value: 'prod'
|
||||
}
|
||||
}
|
||||
resourceGroupName: 'validation-rg'
|
||||
roleDefinitionIds: [
|
||||
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
|
||||
]
|
||||
subscriptionId: '<<subscriptionId>>'
|
||||
userAssignedIdentityId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-rg-polAss"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
// Non-required parameters
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the resource group scope"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the resource group scope"
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"identity": {
|
||||
"value": "UserAssigned"
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg/providers/Microsoft.KeyVault/vaults/adp-<<namePrefix>>-az-kv-x-001"
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"resourceGroupName": {
|
||||
"value": "validation-rg"
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
},
|
||||
"userAssignedIdentityId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 5: Sub Min</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-min-sub-polAss'
|
||||
policyDefinitionID: '/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d'
|
||||
// Non-required parameters
|
||||
subscriptionId: '<<subscriptionId>>'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-min-sub-polAss"
|
||||
},
|
||||
"policyDefinitionID": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/06a78e20-9358-41c9-923c-fb736d382a4d"
|
||||
},
|
||||
// Non-required parameters
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<h3>Example 6: Sub</h3>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via Bicep module</summary>
|
||||
|
||||
```bicep
|
||||
module policyAssignments './Microsoft.Authorization/policyAssignments/deploy.bicep' = {
|
||||
name: '${uniqueString(deployment().name)}-PolicyAssignments'
|
||||
params: {
|
||||
// Required parameters
|
||||
name: '<<namePrefix>>-sub-polAss'
|
||||
policyDefinitionId: '/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26'
|
||||
// Non-required parameters
|
||||
description: '[Description] Policy Assignment at the subscription scope'
|
||||
displayName: '[Display Name] Policy Assignment at the subscription scope'
|
||||
enforcementMode: 'DoNotEnforce'
|
||||
identity: 'UserAssigned'
|
||||
location: 'australiaeast'
|
||||
metadata: {
|
||||
category: 'Security'
|
||||
version: '1.0'
|
||||
}
|
||||
nonComplianceMessages: [
|
||||
{
|
||||
message: 'Violated Policy Assignment - This is a Non Compliance Message'
|
||||
}
|
||||
]
|
||||
notScopes: [
|
||||
'/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg'
|
||||
]
|
||||
parameters: {
|
||||
tagName: {
|
||||
value: 'env'
|
||||
}
|
||||
tagValue: {
|
||||
value: 'prod'
|
||||
}
|
||||
}
|
||||
roleDefinitionIds: [
|
||||
'/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c'
|
||||
]
|
||||
subscriptionId: '<<subscriptionId>>'
|
||||
userAssignedIdentityId: '/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001'
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
||||
|
||||
<details>
|
||||
|
||||
<summary>via JSON Parameter file</summary>
|
||||
|
||||
```json
|
||||
{
|
||||
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
|
||||
"contentVersion": "1.0.0.0",
|
||||
"parameters": {
|
||||
// Required parameters
|
||||
"name": {
|
||||
"value": "<<namePrefix>>-sub-polAss"
|
||||
},
|
||||
"policyDefinitionId": {
|
||||
"value": "/providers/Microsoft.Authorization/policyDefinitions/4f9dc7db-30c1-420c-b61a-e1d640128d26"
|
||||
},
|
||||
// Non-required parameters
|
||||
"description": {
|
||||
"value": "[Description] Policy Assignment at the subscription scope"
|
||||
},
|
||||
"displayName": {
|
||||
"value": "[Display Name] Policy Assignment at the subscription scope"
|
||||
},
|
||||
"enforcementMode": {
|
||||
"value": "DoNotEnforce"
|
||||
},
|
||||
"identity": {
|
||||
"value": "UserAssigned"
|
||||
},
|
||||
"location": {
|
||||
"value": "australiaeast"
|
||||
},
|
||||
"metadata": {
|
||||
"value": {
|
||||
"category": "Security",
|
||||
"version": "1.0"
|
||||
}
|
||||
},
|
||||
"nonComplianceMessages": {
|
||||
"value": [
|
||||
{
|
||||
"message": "Violated Policy Assignment - This is a Non Compliance Message"
|
||||
}
|
||||
]
|
||||
},
|
||||
"notScopes": {
|
||||
"value": [
|
||||
"/subscriptions/<<subscriptionId>>/resourceGroups/validation-rg"
|
||||
]
|
||||
},
|
||||
"parameters": {
|
||||
"value": {
|
||||
"tagName": {
|
||||
"value": "env"
|
||||
},
|
||||
"tagValue": {
|
||||
"value": "prod"
|
||||
}
|
||||
}
|
||||
},
|
||||
"roleDefinitionIds": {
|
||||
"value": [
|
||||
"/providers/microsoft.authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c"
|
||||
]
|
||||
},
|
||||
"subscriptionId": {
|
||||
"value": "<<subscriptionId>>"
|
||||
},
|
||||
"userAssignedIdentityId": {
|
||||
"value": "/subscriptions/<<subscriptionId>>/resourcegroups/validation-rg/providers/Microsoft.ManagedIdentity/userAssignedIdentities/adp-<<namePrefix>>-az-msi-x-001"
|
||||
}
|
||||
}
|
||||
}
|
||||
```
|
||||
|
||||
</details>
|
||||
<p>
|
|
@ -1,121 +0,0 @@
|
|||
targetScope = 'resourceGroup'
|
||||
|
||||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope.')
|
||||
@maxLength(64)
|
||||
param name string
|
||||
|
||||
@sys.description('Optional. This message will be part of response in case of policy violation.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
|
||||
@maxLength(128)
|
||||
param displayName string = ''
|
||||
|
||||
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
|
||||
param policyDefinitionId string
|
||||
|
||||
@sys.description('Optional. Parameters for the policy assignment if needed.')
|
||||
param parameters object = {}
|
||||
|
||||
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
|
||||
@allowed([
|
||||
'SystemAssigned'
|
||||
'UserAssigned'
|
||||
'None'
|
||||
])
|
||||
param identity string = 'SystemAssigned'
|
||||
|
||||
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
|
||||
param userAssignedIdentityId string = ''
|
||||
|
||||
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
|
||||
param roleDefinitionIds array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
|
||||
param metadata object = {}
|
||||
|
||||
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
|
||||
param nonComplianceMessages array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
|
||||
@allowed([
|
||||
'Default'
|
||||
'DoNotEnforce'
|
||||
])
|
||||
param enforcementMode string = 'Default'
|
||||
|
||||
@sys.description('Optional. The policy excluded scopes.')
|
||||
param notScopes array = []
|
||||
|
||||
@sys.description('Optional. Location for all resources.')
|
||||
param location string = resourceGroup().location
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.')
|
||||
param subscriptionId string = subscription().subscriptionId
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment.')
|
||||
param resourceGroupName string = resourceGroup().name
|
||||
|
||||
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
var identity_var = identity == 'SystemAssigned' ? {
|
||||
type: identity
|
||||
} : identity == 'UserAssigned' ? {
|
||||
type: identity
|
||||
userAssignedIdentities: {
|
||||
'${userAssignedIdentityId}': {}
|
||||
}
|
||||
} : null
|
||||
|
||||
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
|
||||
name: name
|
||||
location: location
|
||||
properties: {
|
||||
displayName: !empty(displayName) ? displayName : null
|
||||
metadata: !empty(metadata) ? metadata : null
|
||||
description: !empty(description) ? description : null
|
||||
policyDefinitionId: policyDefinitionId
|
||||
parameters: parameters
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
}
|
||||
identity: identity_var
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
|
||||
name: guid(subscriptionId, resourceGroupName, roleDefinitionId, location, name)
|
||||
properties: {
|
||||
roleDefinitionId: roleDefinitionId
|
||||
principalId: policyAssignment.identity.principalId
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
}]
|
||||
|
||||
@sys.description('Policy Assignment Name.')
|
||||
output name string = policyAssignment.name
|
||||
|
||||
@sys.description('Policy Assignment principal ID.')
|
||||
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
|
||||
|
||||
@sys.description('Policy Assignment resource ID.')
|
||||
output resourceId string = az.resourceId(subscriptionId, resourceGroupName, 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
|
||||
|
||||
@sys.description('The name of the resource group the policy was assigned to.')
|
||||
output resourceGroupName string = resourceGroup().name
|
||||
|
||||
@sys.description('The location the resource was deployed into.')
|
||||
output location string = policyAssignment.location
|
|
@ -1,58 +0,0 @@
|
|||
# Policy Assignment on Resource Group level `[Microsoft.Authorization/policyAssignments/resourceGroup]`
|
||||
|
||||
With this module you can perform policy assignments on a resource group level
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Specifies the name of the policy assignment. Maximum length is 64 characters for resource group scope. |
|
||||
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
|
||||
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
|
||||
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
|
||||
| `location` | string | `[resourceGroup().location]` | | Location for all resources. |
|
||||
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
|
||||
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
|
||||
| `notScopes` | array | `[]` | | The policy excluded scopes. |
|
||||
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
|
||||
| `resourceGroupName` | string | `[resourceGroup().name]` | | The Target Scope for the Policy. The name of the resource group for the policy assignment. If not provided, will use the current scope for deployment. |
|
||||
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
|
||||
| `subscriptionId` | string | `[subscription().subscriptionId]` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. |
|
||||
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | Policy Assignment Name. |
|
||||
| `principalId` | string | Policy Assignment principal ID. |
|
||||
| `resourceGroupName` | string | The name of the resource group the policy was assigned to. |
|
||||
| `resourceId` | string | Policy Assignment resource ID. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
|
@ -1,116 +0,0 @@
|
|||
targetScope = 'subscription'
|
||||
|
||||
@sys.description('Required. Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope.')
|
||||
@maxLength(64)
|
||||
param name string
|
||||
|
||||
@sys.description('Optional. This message will be part of response in case of policy violation.')
|
||||
param description string = ''
|
||||
|
||||
@sys.description('Optional. The display name of the policy assignment. Maximum length is 128 characters.')
|
||||
@maxLength(128)
|
||||
param displayName string = ''
|
||||
|
||||
@sys.description('Required. Specifies the ID of the policy definition or policy set definition being assigned.')
|
||||
param policyDefinitionId string
|
||||
|
||||
@sys.description('Optional. Parameters for the policy assignment if needed.')
|
||||
param parameters object = {}
|
||||
|
||||
@sys.description('Optional. The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning \'Modify\' policy definitions.')
|
||||
@allowed([
|
||||
'SystemAssigned'
|
||||
'UserAssigned'
|
||||
'None'
|
||||
])
|
||||
param identity string = 'SystemAssigned'
|
||||
|
||||
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
|
||||
param userAssignedIdentityId string = ''
|
||||
|
||||
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
|
||||
param roleDefinitionIds array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
|
||||
param metadata object = {}
|
||||
|
||||
@sys.description('Optional. The messages that describe why a resource is non-compliant with the policy.')
|
||||
param nonComplianceMessages array = []
|
||||
|
||||
@sys.description('Optional. The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce.')
|
||||
@allowed([
|
||||
'Default'
|
||||
'DoNotEnforce'
|
||||
])
|
||||
param enforcementMode string = 'Default'
|
||||
|
||||
@sys.description('Optional. The policy excluded scopes.')
|
||||
param notScopes array = []
|
||||
|
||||
@sys.description('Optional. Location for all resources.')
|
||||
param location string = deployment().location
|
||||
|
||||
@sys.description('Optional. The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment.')
|
||||
param subscriptionId string = subscription().subscriptionId
|
||||
|
||||
@sys.description('Optional. Enable telemetry via the Customer Usage Attribution ID (GUID).')
|
||||
param enableDefaultTelemetry bool = true
|
||||
|
||||
var identity_var = identity == 'SystemAssigned' ? {
|
||||
type: identity
|
||||
} : identity == 'UserAssigned' ? {
|
||||
type: identity
|
||||
userAssignedIdentities: {
|
||||
'${userAssignedIdentityId}': {}
|
||||
}
|
||||
} : null
|
||||
|
||||
resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) {
|
||||
name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name, location)}'
|
||||
location: location
|
||||
properties: {
|
||||
mode: 'Incremental'
|
||||
template: {
|
||||
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
|
||||
contentVersion: '1.0.0.0'
|
||||
resources: []
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
resource policyAssignment 'Microsoft.Authorization/policyAssignments@2021-06-01' = {
|
||||
name: name
|
||||
location: location
|
||||
properties: {
|
||||
displayName: !empty(displayName) ? displayName : null
|
||||
metadata: !empty(metadata) ? metadata : null
|
||||
description: !empty(description) ? description : null
|
||||
policyDefinitionId: policyDefinitionId
|
||||
parameters: parameters
|
||||
nonComplianceMessages: !empty(nonComplianceMessages) ? nonComplianceMessages : []
|
||||
enforcementMode: enforcementMode
|
||||
notScopes: !empty(notScopes) ? notScopes : []
|
||||
}
|
||||
identity: identity_var
|
||||
}
|
||||
|
||||
resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for roleDefinitionId in roleDefinitionIds: if (!empty(roleDefinitionIds) && identity == 'SystemAssigned') {
|
||||
name: guid(subscriptionId, roleDefinitionId, location, name)
|
||||
properties: {
|
||||
roleDefinitionId: roleDefinitionId
|
||||
principalId: policyAssignment.identity.principalId
|
||||
principalType: 'ServicePrincipal'
|
||||
}
|
||||
}]
|
||||
|
||||
@sys.description('Policy Assignment Name.')
|
||||
output name string = policyAssignment.name
|
||||
|
||||
@sys.description('Policy Assignment principal ID.')
|
||||
output principalId string = identity == 'SystemAssigned' ? policyAssignment.identity.principalId : ''
|
||||
|
||||
@sys.description('Policy Assignment resource ID.')
|
||||
output resourceId string = subscriptionResourceId(subscriptionId, 'Microsoft.Authorization/policyAssignments', policyAssignment.name)
|
||||
|
||||
@sys.description('The location the resource was deployed into.')
|
||||
output location string = policyAssignment.location
|
|
@ -1,56 +0,0 @@
|
|||
# Policy Assignment on Subscription level `[Microsoft.Authorization/policyAssignments/subscription]`
|
||||
|
||||
With this module you can perform policy assignments on a subscription level.
|
||||
|
||||
## Navigation
|
||||
|
||||
- [Resource Types](#Resource-Types)
|
||||
- [Parameters](#Parameters)
|
||||
- [Outputs](#Outputs)
|
||||
- [Cross-referenced modules](#Cross-referenced-modules)
|
||||
|
||||
## Resource Types
|
||||
|
||||
| Resource Type | API Version |
|
||||
| :-- | :-- |
|
||||
| `Microsoft.Authorization/policyAssignments` | [2021-06-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2021-06-01/policyAssignments) |
|
||||
| `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://docs.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
|
||||
|
||||
## Parameters
|
||||
|
||||
**Required parameters**
|
||||
| Parameter Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `name` | string | Specifies the name of the policy assignment. Maximum length is 64 characters for subscription scope. |
|
||||
| `policyDefinitionId` | string | Specifies the ID of the policy definition or policy set definition being assigned. |
|
||||
|
||||
**Optional parameters**
|
||||
| Parameter Name | Type | Default Value | Allowed Values | Description |
|
||||
| :-- | :-- | :-- | :-- | :-- |
|
||||
| `description` | string | `''` | | This message will be part of response in case of policy violation. |
|
||||
| `displayName` | string | `''` | | The display name of the policy assignment. Maximum length is 128 characters. |
|
||||
| `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via the Customer Usage Attribution ID (GUID). |
|
||||
| `enforcementMode` | string | `'Default'` | `[Default, DoNotEnforce]` | The policy assignment enforcement mode. Possible values are Default and DoNotEnforce. - Default or DoNotEnforce. |
|
||||
| `identity` | string | `'SystemAssigned'` | `[None, SystemAssigned, UserAssigned]` | The managed identity associated with the policy assignment. Policy assignments must include a resource identity when assigning 'Modify' policy definitions. |
|
||||
| `location` | string | `[deployment().location]` | | Location for all resources. |
|
||||
| `metadata` | object | `{object}` | | The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs. |
|
||||
| `nonComplianceMessages` | array | `[]` | | The messages that describe why a resource is non-compliant with the policy. |
|
||||
| `notScopes` | array | `[]` | | The policy excluded scopes. |
|
||||
| `parameters` | object | `{object}` | | Parameters for the policy assignment if needed. |
|
||||
| `roleDefinitionIds` | array | `[]` | | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://docs.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
|
||||
| `subscriptionId` | string | `[subscription().subscriptionId]` | | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. If not provided, will use the current scope for deployment. |
|
||||
| `userAssignedIdentityId` | string | `''` | | The Resource ID for the user assigned identity to assign to the policy assignment. |
|
||||
|
||||
|
||||
## Outputs
|
||||
|
||||
| Output Name | Type | Description |
|
||||
| :-- | :-- | :-- |
|
||||
| `location` | string | The location the resource was deployed into. |
|
||||
| `name` | string | Policy Assignment Name. |
|
||||
| `principalId` | string | Policy Assignment principal ID. |
|
||||
| `resourceId` | string | Policy Assignment resource ID. |
|
||||
|
||||
## Cross-referenced modules
|
||||
|
||||
_None_
|
|
@ -1,4 +0,0 @@
|
|||
{
|
||||
"$schema": "https://raw.githubusercontent.com/dotnet/Nerdbank.GitVersioning/master/src/NerdBank.GitVersioning/version.schema.json",
|
||||
"version": "0.4"
|
||||
}
|
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче