diff --git a/avm/res/purview/account/README.md b/avm/res/purview/account/README.md index 1abd9cda78..af03ada137 100644 --- a/avm/res/purview/account/README.md +++ b/avm/res/purview/account/README.md @@ -20,7 +20,7 @@ This module deploys a Purview Account. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Purview/accounts` | [2021-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) | +| `Microsoft.Purview/accounts` | [2021-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-12-01/accounts) | ## Usage examples @@ -31,8 +31,9 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/res/purview/account:`. - [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) +- [Public network access disabled for Purview managed resources](#example-2-public-network-access-disabled-for-purview-managed-resources) +- [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -98,7 +99,76 @@ param location = ''

-### Example 2: _Using large parameter set_ +### Example 2: _Public network access disabled for Purview managed resources_ + +This instance deploys the module with public network access disabled for Purview managed resources. + + +

+ +via Bicep module + +```bicep +module account 'br/public:avm/res/purview/account:' = { + name: 'accountDeployment' + params: { + // Required parameters + name: 'pvaing001' + // Non-required parameters + location: '' + managedResourcesPublicNetworkAccess: 'Disabled' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "pvaing001" + }, + // Non-required parameters + "location": { + "value": "" + }, + "managedResourcesPublicNetworkAccess": { + "value": "Disabled" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/purview/account:' + +// Required parameters +param name = 'pvaing001' +// Non-required parameters +param location = '' +param managedResourcesPublicNetworkAccess = 'Disabled' +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -663,7 +733,7 @@ param tags = {

-### Example 3: _WAF-aligned_ +### Example 4: _WAF-aligned_ This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. @@ -1003,8 +1073,10 @@ param tags = { | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedEventHubState`](#parameter-managedeventhubstate) | string | The state of the managed Event Hub. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | +| [`managedResourcesPublicNetworkAccess`](#parameter-managedresourcespublicnetworkaccess) | string | Whether or not public network access is allowed for managed resources. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | @@ -2039,6 +2111,22 @@ Specify the name of lock. - Required: No - Type: string +### Parameter: `managedEventHubState` + +The state of the managed Event Hub. + +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'NotSpecified' + ] + ``` + ### Parameter: `managedIdentities` The managed identity definition for this resource. @@ -2067,6 +2155,22 @@ The Managed Resource Group Name. A managed Storage Account, and an Event Hubs wi - Type: string - Default: `[format('managed-rg-{0}', parameters('name'))]` +### Parameter: `managedResourcesPublicNetworkAccess` + +Whether or not public network access is allowed for managed resources. + +- Required: No +- Type: string +- Default: `'NotSpecified'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'NotSpecified' + ] + ``` + ### Parameter: `portalPrivateEndpoints` Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. diff --git a/avm/res/purview/account/main.bicep b/avm/res/purview/account/main.bicep index e3ec79f296..2e04c91aef 100644 --- a/avm/res/purview/account/main.bicep +++ b/avm/res/purview/account/main.bicep @@ -17,9 +17,25 @@ import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentityOnlyUserAssignedType? +@description('Optional. The state of the managed Event Hub.') +@allowed([ + 'Enabled' + 'Disabled' + 'NotSpecified' +]) +param managedEventHubState string = 'Enabled' + @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') param managedResourceGroupName string = 'managed-rg-${name}' +@description('Optional. Whether or not public network access is allowed for managed resources.') +@allowed([ + 'Enabled' + 'Disabled' + 'NotSpecified' +]) +param managedResourcesPublicNetworkAccess string = 'NotSpecified' + @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ 'Enabled' @@ -114,14 +130,16 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT } } -resource account 'Microsoft.Purview/accounts@2021-07-01' = { +resource account 'Microsoft.Purview/accounts@2021-12-01' = { name: name location: location tags: tags identity: identity properties: { cloudConnectors: {} + managedEventHubState: managedEventHubState managedResourceGroupName: managedResourceGroupName + managedResourcesPublicNetworkAccess: managedResourcesPublicNetworkAccess publicNetworkAccess: publicNetworkAccess } } diff --git a/avm/res/purview/account/main.json b/avm/res/purview/account/main.json index 20e38c94f8..019e5d5c55 100644 --- a/avm/res/purview/account/main.json +++ b/avm/res/purview/account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6120060466877826337" + "version": "0.31.92.45157", + "templateHash": "18280782395141983115" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -503,6 +503,18 @@ "description": "Optional. The managed identity definition for this resource." } }, + "managedEventHubState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled", + "NotSpecified" + ], + "metadata": { + "description": "Optional. The state of the managed Event Hub." + } + }, "managedResourceGroupName": { "type": "string", "defaultValue": "[format('managed-rg-{0}', parameters('name'))]", @@ -510,6 +522,18 @@ "description": "Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'." } }, + "managedResourcesPublicNetworkAccess": { + "type": "string", + "defaultValue": "NotSpecified", + "allowedValues": [ + "Enabled", + "Disabled", + "NotSpecified" + ], + "metadata": { + "description": "Optional. Whether or not public network access is allowed for managed resources." + } + }, "publicNetworkAccess": { "type": "string", "defaultValue": "NotSpecified", @@ -622,14 +646,16 @@ }, "account": { "type": "Microsoft.Purview/accounts", - "apiVersion": "2021-07-01", + "apiVersion": "2021-12-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "properties": { "cloudConnectors": {}, + "managedEventHubState": "[parameters('managedEventHubState')]", "managedResourceGroupName": "[parameters('managedResourceGroupName')]", + "managedResourcesPublicNetworkAccess": "[parameters('managedResourcesPublicNetworkAccess')]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, @@ -4568,7 +4594,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('account', '2021-07-01', 'full').location]" + "value": "[reference('account', '2021-12-01', 'full').location]" }, "managedResourceGroupName": { "type": "string", @@ -4603,7 +4629,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[coalesce(tryGet(tryGet(reference('account', '2021-07-01', 'full'), 'identity'), 'principalId'), '')]" + "value": "[coalesce(tryGet(tryGet(reference('account', '2021-12-01', 'full'), 'identity'), 'principalId'), '')]" }, "accountPrivateEndpoints": { "type": "array", diff --git a/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep b/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep new file mode 100644 index 0000000000..c51f3ef6fb --- /dev/null +++ b/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep @@ -0,0 +1,52 @@ +targetScope = 'subscription' + +metadata name = 'Public network access disabled for Purview managed resources' +metadata description = 'This instance deploys the module with public network access disabled for Purview managed resources.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pvaing' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// Set to fixed location as the RP function returns unsupported locations +// Right now (2024/07) the following locations are supported: uksouth +param enforcedLocation string = 'uksouth' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + scope: resourceGroup + params: { + name: '${namePrefix}${serviceShort}001' + location: enforcedLocation + managedResourcesPublicNetworkAccess: 'Disabled' + } + } +] diff --git a/avm/res/purview/account/version.json b/avm/res/purview/account/version.json index a8eda31021..9ed3662aba 100644 --- a/avm/res/purview/account/version.json +++ b/avm/res/purview/account/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", + "version": "0.6", "pathFilters": [ "./main.json" ] -} \ No newline at end of file +}