feat: Adding support for enabling ingestion-only. (Azure#3840)

## Description Added support for enabling ingestion-only. Updated API to latest stable version. Fixes Azure#3682 Closes Azure#3682 ## Pipeline Reference  | Pipeline | | -------- | | [![avm.res.purview.account](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml/badge.svg?branch=feat%2Fissues%2F3682)](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml) | ## Type of Change  - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [X] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [X] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [X] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [X] I'm sure there are no other open Pull Requests for the same update/change - [X] I have run `Set-AVMModule` locally to generate the supporting module files. - [X] My corresponding pipelines / checks run clean and green without any errors or warnings
AlexanderSehr · Nov 25, 2024 · 25637dd · 25637dd
1 parent be90155
commit 25637dd
Show file tree

Hide file tree

Showing 5 changed files with 213 additions and 13 deletions.
diff --git a/avm/res/purview/account/README.md b/avm/res/purview/account/README.md
@@ -20,7 +20,7 @@ This module deploys a Purview Account.
 | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) |
 | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) |
-| `Microsoft.Purview/accounts` | [2021-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) |
+| `Microsoft.Purview/accounts` | [2021-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-12-01/accounts) |
 
 ## Usage examples
 
@@ -31,8 +31,9 @@ The following section provides usage examples for the module, which were used to
 >**Note**: To reference the module, please use the following syntax `br/public:avm/res/purview/account:<version>`.
 
 - [Using only defaults](#example-1-using-only-defaults)
-- [Using large parameter set](#example-2-using-large-parameter-set)
-- [WAF-aligned](#example-3-waf-aligned)
+- [Public network access disabled for Purview managed resources](#example-2-public-network-access-disabled-for-purview-managed-resources)
+- [Using large parameter set](#example-3-using-large-parameter-set)
+- [WAF-aligned](#example-4-waf-aligned)
 
 ### Example 1: _Using only defaults_
 
@@ -98,7 +99,76 @@ param location = '<location>'
 </details>
 <p>
 
-### Example 2: _Using large parameter set_
+### Example 2: _Public network access disabled for Purview managed resources_
+
+This instance deploys the module with public network access disabled for Purview managed resources.
+
+
+<details>
+
+<summary>via Bicep module</summary>
+
+```bicep
+module account 'br/public:avm/res/purview/account:<version>' = {
+  name: 'accountDeployment'
+  params: {
+    // Required parameters
+    name: 'pvaing001'
+    // Non-required parameters
+    location: '<location>'
+    managedResourcesPublicNetworkAccess: 'Disabled'
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via JSON parameters file</summary>
+
+```json
+{
+  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
+  "contentVersion": "1.0.0.0",
+  "parameters": {
+    // Required parameters
+    "name": {
+      "value": "pvaing001"
+    },
+    // Non-required parameters
+    "location": {
+      "value": "<location>"
+    },
+    "managedResourcesPublicNetworkAccess": {
+      "value": "Disabled"
+    }
+  }
+}
+```
+
+</details>
+<p>
+
+<details>
+
+<summary>via Bicep parameters file</summary>
+
+```bicep-params
+using 'br/public:avm/res/purview/account:<version>'
+
+// Required parameters
+param name = 'pvaing001'
+// Non-required parameters
+param location = '<location>'
+param managedResourcesPublicNetworkAccess = 'Disabled'
+```
+
+</details>
+<p>
+
+### Example 3: _Using large parameter set_
 
 This instance deploys the module with most of its features enabled.
 
@@ -663,7 +733,7 @@ param tags = {
 </details>
 <p>
 
-### Example 3: _WAF-aligned_
+### Example 4: _WAF-aligned_
 
 This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.
 
@@ -1003,8 +1073,10 @@ param tags = {
 | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
+| [`managedEventHubState`](#parameter-managedeventhubstate) | string | The state of the managed Event Hub. |
 | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-<purview-account-name>'. |
+| [`managedResourcesPublicNetworkAccess`](#parameter-managedresourcespublicnetworkaccess) | string | Whether or not public network access is allowed for managed resources. |
 | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. |
 | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
@@ -2039,6 +2111,22 @@ Specify the name of lock.
 - Required: No
 - Type: string
 
+### Parameter: `managedEventHubState`
+
+The state of the managed Event Hub.
+
+- Required: No
+- Type: string
+- Default: `'Enabled'`
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+    'NotSpecified'
+  ]
+  ```
+
 ### Parameter: `managedIdentities`
 
 The managed identity definition for this resource.
@@ -2067,6 +2155,22 @@ The Managed Resource Group Name. A managed Storage Account, and an Event Hubs wi
 - Type: string
 - Default: `[format('managed-rg-{0}', parameters('name'))]`
 
+### Parameter: `managedResourcesPublicNetworkAccess`
+
+Whether or not public network access is allowed for managed resources.
+
+- Required: No
+- Type: string
+- Default: `'NotSpecified'`
+- Allowed:
+  ```Bicep
+  [
+    'Disabled'
+    'Enabled'
+    'NotSpecified'
+  ]
+  ```
+
 ### Parameter: `portalPrivateEndpoints`
 
 Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'.

diff --git a/avm/res/purview/account/main.bicep b/avm/res/purview/account/main.bicep
@@ -17,9 +17,25 @@ import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm
 @description('Optional. The managed identity definition for this resource.')
 param managedIdentities managedIdentityOnlyUserAssignedType?
 
+@description('Optional. The state of the managed Event Hub.')
+@allowed([
+  'Enabled'
+  'Disabled'
+  'NotSpecified'
+])
+param managedEventHubState string = 'Enabled'
+
 @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-<purview-account-name>\'.')
 param managedResourceGroupName string = 'managed-rg-${name}'
 
+@description('Optional. Whether or not public network access is allowed for managed resources.')
+@allowed([
+  'Enabled'
+  'Disabled'
+  'NotSpecified'
+])
+param managedResourcesPublicNetworkAccess string = 'NotSpecified'
+
 @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.')
 @allowed([
   'Enabled'
@@ -114,14 +130,16 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT
   }
 }
 
-resource account 'Microsoft.Purview/accounts@2021-07-01' = {
+resource account 'Microsoft.Purview/accounts@2021-12-01' = {
   name: name
   location: location
   tags: tags
   identity: identity
   properties: {
     cloudConnectors: {}
+    managedEventHubState: managedEventHubState
     managedResourceGroupName: managedResourceGroupName
+    managedResourcesPublicNetworkAccess: managedResourcesPublicNetworkAccess
     publicNetworkAccess: publicNetworkAccess
   }
 }

diff --git a/avm/res/purview/account/main.json b/avm/res/purview/account/main.json
@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.30.23.60470",
-      "templateHash": "6120060466877826337"
+      "version": "0.31.92.45157",
+      "templateHash": "18280782395141983115"
     },
     "name": "Purview Accounts",
     "description": "This module deploys a Purview Account.",
@@ -503,13 +503,37 @@
         "description": "Optional. The managed identity definition for this resource."
       }
     },
+    "managedEventHubState": {
+      "type": "string",
+      "defaultValue": "Enabled",
+      "allowedValues": [
+        "Enabled",
+        "Disabled",
+        "NotSpecified"
+      ],
+      "metadata": {
+        "description": "Optional. The state of the managed Event Hub."
+      }
+    },
     "managedResourceGroupName": {
       "type": "string",
       "defaultValue": "[format('managed-rg-{0}', parameters('name'))]",
       "metadata": {
         "description": "Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-<purview-account-name>'."
       }
     },
+    "managedResourcesPublicNetworkAccess": {
+      "type": "string",
+      "defaultValue": "NotSpecified",
+      "allowedValues": [
+        "Enabled",
+        "Disabled",
+        "NotSpecified"
+      ],
+      "metadata": {
+        "description": "Optional. Whether or not public network access is allowed for managed resources."
+      }
+    },
     "publicNetworkAccess": {
       "type": "string",
       "defaultValue": "NotSpecified",
@@ -622,14 +646,16 @@
     },
     "account": {
       "type": "Microsoft.Purview/accounts",
-      "apiVersion": "2021-07-01",
+      "apiVersion": "2021-12-01",
       "name": "[parameters('name')]",
       "location": "[parameters('location')]",
       "tags": "[parameters('tags')]",
       "identity": "[variables('identity')]",
       "properties": {
         "cloudConnectors": {},
+        "managedEventHubState": "[parameters('managedEventHubState')]",
         "managedResourceGroupName": "[parameters('managedResourceGroupName')]",
+        "managedResourcesPublicNetworkAccess": "[parameters('managedResourcesPublicNetworkAccess')]",
         "publicNetworkAccess": "[parameters('publicNetworkAccess')]"
       }
     },
@@ -4568,7 +4594,7 @@
       "metadata": {
         "description": "The location the resource was deployed into."
       },
-      "value": "[reference('account', '2021-07-01', 'full').location]"
+      "value": "[reference('account', '2021-12-01', 'full').location]"
     },
     "managedResourceGroupName": {
       "type": "string",
@@ -4603,7 +4629,7 @@
       "metadata": {
         "description": "The principal ID of the system assigned identity."
       },
-      "value": "[coalesce(tryGet(tryGet(reference('account', '2021-07-01', 'full'), 'identity'), 'principalId'), '')]"
+      "value": "[coalesce(tryGet(tryGet(reference('account', '2021-12-01', 'full'), 'identity'), 'principalId'), '')]"
     },
     "accountPrivateEndpoints": {
       "type": "array",

diff --git a/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep b/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep
@@ -0,0 +1,52 @@
+targetScope = 'subscription'
+
+metadata name = 'Public network access disabled for Purview managed resources'
+metadata description = 'This instance deploys the module with public network access disabled for Purview managed resources.'
+
+// ========== //
+// Parameters //
+// ========== //
+@description('Optional. The name of the resource group to deploy for testing purposes.')
+@maxLength(90)
+param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg'
+
+@description('Optional. The location to deploy resources to.')
+param resourceLocation string = deployment().location
+
+@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.')
+param serviceShort string = 'pvaing'
+
+@description('Optional. A token to inject into the name of each resource.')
+param namePrefix string = '#_namePrefix_#'
+
+// Set to fixed location as the RP function returns unsupported locations
+// Right now (2024/07) the following locations are supported: uksouth
+param enforcedLocation string = 'uksouth'
+
+// =========== //
+// Deployments //
+// =========== //
+
+// General resources
+// =================
+resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = {
+  name: resourceGroupName
+  location: resourceLocation
+}
+
+// ============== //
+// Test Execution //
+// ============== //
+
+@batchSize(1)
+module testDeployment '../../../main.bicep' = [
+  for iteration in ['init', 'idem']: {
+    name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}'
+    scope: resourceGroup
+    params: {
+      name: '${namePrefix}${serviceShort}001'
+      location: enforcedLocation
+      managedResourcesPublicNetworkAccess: 'Disabled'
+    }
+  }
+]
diff --git a/avm/res/purview/account/version.json b/avm/res/purview/account/version.json
@@ -1,7 +1,7 @@
 {
     "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
-    "version": "0.5",
+    "version": "0.6",
     "pathFilters": [
         "./main.json"
     ]
-}
+}