-
Notifications
You must be signed in to change notification settings - Fork 378
/
main.bicep
424 lines (362 loc) · 15.6 KB
/
main.bicep
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
metadata name = 'CDN Profiles'
metadata description = 'This module deploys a CDN Profile.'
metadata owner = 'Azure/module-maintainers'
@description('Required. Name of the CDN profile.')
param name string
@description('Optional. Location for all Resources.')
param location string = resourceGroup().location
@allowed([
'Premium_AzureFrontDoor'
'StandardPlus_955BandWidth_ChinaCdn'
'StandardPlus_AvgBandWidth_ChinaCdn'
'StandardPlus_ChinaCdn'
'Standard_955BandWidth_ChinaCdn'
'Standard_AvgBandWidth_ChinaCdn'
'Standard_AzureFrontDoor'
'Standard_ChinaCdn'
'Standard_Microsoft'
])
@description('Required. The pricing tier (defines a CDN provider, feature list and rate) of the CDN profile.')
param sku string
@description('Optional. Send and receive timeout on forwarding request to the origin.')
param originResponseTimeoutSeconds int = 60
@description('Optional. Name of the endpoint under the profile which is unique globally.')
param endpointName string?
@description('Optional. Endpoint properties (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/endpoints?pivots=deployment-language-bicep#endpointproperties for details).')
param endpointProperties object?
@description('Optional. Array of secret objects.')
param secrets array = []
@description('Optional. Array of custom domain objects.')
param customDomains customDomainType[] = []
@description('Conditional. Array of origin group objects. Required if the afdEndpoints is specified.')
param originGroups originGroupType[] = []
@description('Optional. Array of rule set objects.')
param ruleSets ruleSetType[] = []
@description('Optional. Array of AFD endpoint objects.')
param afdEndpoints afdEndpointType[] = []
@description('Optional. Array of Security Policy objects (see https://learn.microsoft.com/en-us/azure/templates/microsoft.cdn/profiles/securitypolicies for details).')
param securityPolicies securityPolicyType = []
@description('Optional. Endpoint tags.')
param tags object?
@description('Optional. The managed identity definition for this resource.')
param managedIdentities managedIdentitiesType
@description('Optional. The lock settings of the service.')
param lock lockType
@description('Optional. Array of role assignments to create.')
param roleAssignments roleAssignmentType
@description('Optional. Enable/Disable usage telemetry for module.')
param enableTelemetry bool = true
@description('Optional. The diagnostic settings of the service.')
param diagnosticSettings diagnosticSettingFullType[]?
var builtInRoleNames = {
'CDN Endpoint Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'426e0c7f-0c7e-4658-b36f-ff54d6c29b45'
)
'CDN Endpoint Reader': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'871e35f6-b5c1-49cc-a043-bde969a0f2cd'
)
'CDN Profile Contributor': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'ec156ff8-a8d1-4d15-830c-5b80698ca432'
)
'CDN Profile Reader': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'8f96442b-4075-438f-813d-ad51ab4019af'
)
Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')
Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')
Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')
'Role Based Access Control Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'f58310d9-a9f6-439a-9e8d-f62e7b41a168'
)
'User Access Administrator': subscriptionResourceId(
'Microsoft.Authorization/roleDefinitions',
'18d7d88d-d35e-4fb5-a5c3-7773c20a72d9'
)
}
var formattedRoleAssignments = [
for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, {
roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains(
roleAssignment.roleDefinitionIdOrName,
'/providers/Microsoft.Authorization/roleDefinitions/'
)
? roleAssignment.roleDefinitionIdOrName
: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName))
})
]
var formattedUserAssignedIdentities = reduce(
map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
{},
(cur, next) => union(cur, next)
) // Converts the flat array to an object like { '${id1}': {}, '${id2}': {} }
var identity = !empty(managedIdentities)
? {
type: (managedIdentities.?systemAssigned ?? false)
? (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'SystemAssigned,UserAssigned' : 'SystemAssigned')
: (!empty(managedIdentities.?userAssignedResourceIds ?? {}) ? 'UserAssigned' : 'None')
userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
}
: null
#disable-next-line no-deployments-resources
resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) {
name: '46d3xbcp.res.cdn-profile.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
properties: {
mode: 'Incremental'
template: {
'$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
contentVersion: '1.0.0.0'
resources: []
outputs: {
telemetry: {
type: 'String'
value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
}
}
}
}
}
resource profile 'Microsoft.Cdn/profiles@2023-05-01' = {
name: name
location: location
identity: identity
sku: {
name: sku
}
properties: {
originResponseTimeoutSeconds: originResponseTimeoutSeconds
}
tags: tags
}
resource profile_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
name: lock.?name ?? 'lock-${name}'
properties: {
level: lock.?kind ?? ''
notes: lock.?kind == 'CanNotDelete'
? 'Cannot delete resource or child resources.'
: 'Cannot delete or modify the resource or child resources.'
}
scope: profile
}
resource profile_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
for (roleAssignment, index) in (formattedRoleAssignments ?? []): {
name: roleAssignment.?name ?? guid(profile.id, roleAssignment.principalId, roleAssignment.roleDefinitionId)
properties: {
roleDefinitionId: roleAssignment.roleDefinitionId
principalId: roleAssignment.principalId
description: roleAssignment.?description
principalType: roleAssignment.?principalType
condition: roleAssignment.?condition
conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set
delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId
}
scope: profile
}
]
resource profile_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [
for (diagnosticSetting, index) in (diagnosticSettings ?? []): {
name: diagnosticSetting.?name ?? '${name}-diagnosticSettings'
properties: {
storageAccountId: diagnosticSetting.?storageAccountResourceId
workspaceId: diagnosticSetting.?workspaceResourceId
eventHubAuthorizationRuleId: diagnosticSetting.?eventHubAuthorizationRuleResourceId
eventHubName: diagnosticSetting.?eventHubName
metrics: [
for group in (diagnosticSetting.?metricCategories ?? [{ category: 'AllMetrics' }]): {
category: group.category
enabled: group.?enabled ?? true
timeGrain: null
}
]
logs: [
for group in (diagnosticSetting.?logCategoriesAndGroups ?? [{ categoryGroup: 'allLogs' }]): {
categoryGroup: group.?categoryGroup
category: group.?category
enabled: group.?enabled ?? true
}
]
marketplacePartnerId: diagnosticSetting.?marketplacePartnerResourceId
logAnalyticsDestinationType: diagnosticSetting.?logAnalyticsDestinationType
}
scope: profile
}
]
module profile_endpoint 'endpoint/main.bicep' = if (!empty(endpointProperties)) {
name: '${uniqueString(deployment().name, location)}-Profile-Endpoint'
params: {
name: endpointName ?? '${profile.name}-endpoint'
properties: endpointProperties ?? {}
location: location
profileName: profile.name
}
}
module profile_secrets 'secret/main.bicep' = [
for (secret, index) in secrets: {
name: '${uniqueString(deployment().name)}-Profile-Secret-${index}'
params: {
name: secret.name
profileName: profile.name
type: secret.type
secretSourceResourceId: secret.secretSourceResourceId
subjectAlternativeNames: secret.?subjectAlternativeNames
useLatestVersion: secret.?useLatestVersion
secretVersion: secret.secretVersion
}
}
]
module profile_customDomains 'customdomain/main.bicep' = [
for (customDomain, index) in customDomains: {
name: '${uniqueString(deployment().name)}-CustomDomain-${index}'
dependsOn: [
profile_secrets
]
params: {
name: customDomain.name
profileName: profile.name
hostName: customDomain.hostName
azureDnsZoneResourceId: customDomain.?azureDnsZoneResourceId
extendedProperties: customDomain.?extendedProperties
certificateType: customDomain.certificateType
minimumTlsVersion: customDomain.?minimumTlsVersion
preValidatedCustomDomainResourceId: customDomain.?preValidatedCustomDomainResourceId
secretName: customDomain.?secretName
}
}
]
module profile_originGroups 'origingroup/main.bicep' = [
for (origingroup, index) in originGroups: {
name: '${uniqueString(deployment().name)}-Profile-OriginGroup-${index}'
params: {
name: origingroup.name
profileName: profile.name
loadBalancingSettings: origingroup.loadBalancingSettings
healthProbeSettings: origingroup.?healthProbeSettings
sessionAffinityState: origingroup.?sessionAffinityState
trafficRestorationTimeToHealedOrNewEndpointsInMinutes: origingroup.?trafficRestorationTimeToHealedOrNewEndpointsInMinutes
origins: origingroup.origins
}
}
]
module profile_ruleSets 'ruleset/main.bicep' = [
for (ruleSet, index) in ruleSets: {
name: '${uniqueString(deployment().name)}-Profile-RuleSet-${index}'
params: {
name: ruleSet.name
profileName: profile.name
rules: ruleSet.rules
}
}
]
module profile_afdEndpoints 'afdEndpoint/main.bicep' = [
for (afdEndpoint, index) in afdEndpoints: {
name: '${uniqueString(deployment().name)}-Profile-AfdEndpoint-${index}'
dependsOn: [
profile_originGroups
profile_customDomains
profile_ruleSets
]
params: {
name: afdEndpoint.name
location: location
profileName: profile.name
autoGeneratedDomainNameLabelScope: afdEndpoint.?autoGeneratedDomainNameLabelScope
enabledState: afdEndpoint.?enabledState
routes: afdEndpoint.?routes
tags: afdEndpoint.?tags ?? tags
}
}
]
module profile_securityPolicies 'securityPolicies/main.bicep' = [
for (securityPolicy, index) in securityPolicies: {
name: '${uniqueString(deployment().name)}-Profile-SecurityPolicy-${index}'
dependsOn: [
profile_afdEndpoints
profile_customDomains
]
params: {
name: securityPolicy.name
profileName: profile.name
associations: securityPolicy.associations
wafPolicyResourceId: securityPolicy.wafPolicyResourceId
}
}
]
@description('The name of the CDN profile.')
output name string = profile.name
@description('The resource ID of the CDN profile.')
output resourceId string = profile.id
@description('The resource group where the CDN profile is deployed.')
output resourceGroupName string = resourceGroup().name
@description('The type of the CDN profile.')
output profileType string = profile.type
@description('The location the resource was deployed into.')
output location string = profile.location
@description('The name of the CDN profile endpoint.')
output endpointName string = !empty(endpointProperties) ? profile_endpoint.outputs.name : ''
@description('The resource ID of the CDN profile endpoint.')
output endpointId string = !empty(endpointProperties) ? profile_endpoint.outputs.resourceId : ''
@description('The uri of the CDN profile endpoint.')
output uri string = !empty(endpointProperties) ? profile_endpoint.outputs.uri : ''
@description('The principal ID of the system assigned identity.')
output systemAssignedMIPrincipalId string = profile.?identity.?principalId ?? ''
@description('The list of records required for custom domains validation.')
output dnsValidation dnsValidationType[] = [
for (customDomain, index) in customDomains: profile_customDomains[index].outputs.dnsValidation
]
@description('The list of AFD endpoint host names.')
output frontDoorEndpointHostNames array = [
for (afdEndpoint, index) in afdEndpoints: profile_afdEndpoints[index].outputs.frontDoorEndpointHostName
]
// =============== //
// Definitions //
// =============== //
import { afdEndpointType } from 'afdEndpoint/main.bicep'
import { customDomainType } from 'customdomain/main.bicep'
import { originGroupType } from 'origingroup/main.bicep'
import { originType } from 'origingroup//origin/main.bicep'
import { associationsType } from 'securityPolicies/main.bicep'
import { ruleSetType } from 'ruleset/main.bicep'
import { ruleType } from 'ruleset/rule/main.bicep'
import { dnsValidationType } from 'customdomain/main.bicep'
import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0'
type managedIdentitiesType = {
@description('Optional. Enables system assigned managed identity on the resource.')
systemAssigned: bool?
@description('Optional. The resource ID(s) to assign to the resource.')
userAssignedResourceIds: string[]?
}?
@export()
type securityPolicyType = {
@description('Required. Name of the security policy.')
name: string
@description('Required. Domain names and URL patterns to match with this association.')
associations: associationsType
@description('Required. Resource ID of WAF policy.')
wafPolicyResourceId: string
}[]
type lockType = {
@description('Optional. Specify the name of lock.')
name: string?
@description('Optional. Specify the type of lock.')
kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
}?
type roleAssignmentType = {
@description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.')
name: string?
@description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.')
roleDefinitionIdOrName: string
@description('Required. The principal ID of the principal (user/group/identity) to assign the role to.')
principalId: string
@description('Optional. The principal type of the assigned principal ID.')
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?
@description('Optional. The description of the role assignment.')
description: string?
@description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".')
condition: string?
@description('Optional. Version of the condition.')
conditionVersion: '2.0'?
@description('Optional. The Resource Id of the delegated managed identity resource.')
delegatedManagedIdentityResourceId: string?
}[]?