Merge branch 'main' of https://github.com/Azure/bicep-registry-modules

.github/CODEOWNERS

@@ -98,7 +98,7 @@
 /avm/res/network/network-interface/ @Azure/avm-res-network-networkinterface-module-owners-bicep @Azure/avm-core-team-technical-bicep
 /avm/res/network/network-manager/ @Azure/avm-res-network-networkmanager-module-owners-bicep @Azure/avm-core-team-technical-bicep
 /avm/res/network/network-security-group/ @Azure/avm-res-network-networksecuritygroup-module-owners-bicep @Azure/avm-core-team-technical-bicep
-#/avm/res/network/network-watcher/ @Azure/avm-res-network-networkwatcher-module-owners-bicep @Azure/avm-core-team-technical-bicep
+/avm/res/network/network-watcher/ @Azure/avm-res-network-networkwatcher-module-owners-bicep @Azure/avm-core-team-technical-bicep
 /avm/res/network/private-dns-zone/ @Azure/avm-res-network-privatednszone-module-owners-bicep @Azure/avm-core-team-technical-bicep
 /avm/res/network/private-endpoint/ @Azure/avm-res-network-privateendpoint-module-owners-bicep @Azure/avm-core-team-technical-bicep
 /avm/res/network/private-link-service/ @Azure/avm-res-network-privatelinkservice-module-owners-bicep @Azure/avm-core-team-technical-bicep

.github/ISSUE_TEMPLATE/avm_module_issue.yml

@@ -131,7 +131,7 @@ body:
         - "avm/res/network/network-interface"
         - "avm/res/network/network-manager"
         - "avm/res/network/network-security-group"
-        # - "avm/res/network/network-watcher"
+        - "avm/res/network/network-watcher"
         - "avm/res/network/private-dns-zone"
         - "avm/res/network/private-endpoint"
         - "avm/res/network/private-link-service"

.github/workflows/avm.platform.manage-workflow-issue.yml

@@ -3,6 +3,7 @@ name: "avm.platform.manage-workflow-issue"
 on:
   schedule:
     - cron: "30 5 * * *" # Every day at 5:30 am
+  workflow_dispatch:
 
 jobs:
   manage-issues:
@@ -14,16 +15,22 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - env:
-          GH_TOKEN: ${{ github.token }}
-        name: Manage issues
+      - uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.APP_ID }}
+          private_key: ${{ secrets.APP_PRIVATE_KEY }}
+      - name: Manage issues
         shell: pwsh
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           # Load used functions
           . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'platform' 'Set-AvmGithubIssueForWorkflow.ps1')
 
           $functionInput = @{
             Repo              = "${{ github.repository_owner }}/${{ github.event.repository.name }}"
+            RepoRoot          = $env:GITHUB_WORKSPACE
             LimitNumberOfRuns = 500
             LimitInDays       = 2
             IgnoreWorkflows   = @()

.github/workflows/avm.platform.set-avm-github-issue-owner-config.yml

@@ -16,16 +16,22 @@ jobs:
         uses: actions/checkout@v4
         with:
           fetch-depth: 0
-      - env:
-          GH_TOKEN: ${{ github.token }}
-        name: "Run scripts"
+      - uses: tibdex/github-app-token@v2
+        id: generate-token
+        with:
+          app_id: ${{ secrets.TEAM_LINTER_APP_ID }}
+          private_key: ${{ secrets.TEAM_LINTER_PRIVATE_KEY }}
+      - name: "Run scripts"
         shell: pwsh
+        env:
+          GITHUB_TOKEN: ${{ steps.generate-token.outputs.token }}
         run: |
           # Load used functions
-          . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines'  'platform' 'Set-AvmGitHubIssueOwnerConfig.ps1')
+          . (Join-Path $env:GITHUB_WORKSPACE 'avm' 'utilities' 'pipelines' 'platform' 'Set-AvmGitHubIssueOwnerConfig.ps1')
 
           $functionInput = @{
-            Repo = "${{ github.repository_owner }}/${{ github.event.repository.name }}"
+            Repo     = "${{ github.repository_owner }}/${{ github.event.repository.name }}"
+            RepoRoot = $env:GITHUB_WORKSPACE
             IssueUrl = "${{ github.event.issue.url }}"
           }
 

.github/workflows/avm.res.aad.domain-service.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.aad.domain-service.yml"
       - "avm/res/aad/domain-service/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

.github/workflows/avm.res.container-instance.container-group.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.container-instance.container-group.yml"
       - "avm/res/container-instance/container-group/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

.github/workflows/avm.res.digital-twins.digital-twins-instance.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.digital-twins.digital-twins-instance.yml"
       - "avm/res/digital-twins/digital-twins-instance/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

.github/workflows/avm.res.network.network-watcher.yml

@@ -0,0 +1,87 @@
+name: "avm.res.network.network-watcher"
+
+on:
+  schedule:
+    - cron: "0 12 1/15 * *" # Bi-Weekly Test (on 1st & 15th of month)
+  workflow_dispatch:
+    inputs:
+      staticValidation:
+        type: boolean
+        description: "Execute static validation"
+        required: false
+        default: true
+      deploymentValidation:
+        type: boolean
+        description: "Execute deployment validation"
+        required: false
+        default: true
+      removeDeployment:
+        type: boolean
+        description: "Remove deployed module"
+        required: false
+        default: true
+
+  push:
+    branches:
+      - main
+    paths:
+      - ".github/actions/templates/avm-**"
+      - ".github/workflows/avm.template.module.yml"
+      - ".github/workflows/avm.res.network.network-watcher.yml"
+      - "avm/res/network/network-watcher/**"
+      - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
+      - "!*/**/README.md"
+
+env:
+  modulePath: "avm/res/network/network-watcher"
+  workflowPath: ".github/workflows/avm.res.network.network-watcher.yml"
+
+concurrency:
+  group: ${{ github.workflow }}
+
+jobs:
+  ###########################
+  #   Initialize pipeline   #
+  ###########################
+  job_initialize_pipeline:
+    runs-on: ubuntu-latest
+    name: "Initialize pipeline"
+    steps:
+      - name: "Checkout"
+        uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - name: "Set input parameters to output variables"
+        id: get-workflow-param
+        uses: ./.github/actions/templates/avm-getWorkflowInput
+        with:
+          workflowPath: "${{ env.workflowPath}}"
+      - name: "Get module test file paths"
+        id: get-module-test-file-paths
+        uses: ./.github/actions/templates/avm-getModuleTestFiles
+        with:
+          modulePath: "${{ env.modulePath }}"
+    outputs:
+      workflowInput: ${{ steps.get-workflow-param.outputs.workflowInput }}
+      moduleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.moduleTestFilePaths }}
+      psRuleModuleTestFilePaths: ${{ steps.get-module-test-file-paths.outputs.psRuleModuleTestFilePaths }}
+      modulePath: "${{ env.modulePath }}"
+
+  ##############################
+  #   Call reusable workflow   #
+  ##############################
+  call-workflow-passing-data:
+    name: "Run"
+    permissions:
+      id-token: write # For OIDC
+      contents: write # For release tags
+    needs:
+      - job_initialize_pipeline
+    uses: ./.github/workflows/avm.template.module.yml
+    with:
+      workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}"
+      moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}"
+      psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}"
+      modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}"
+    secrets: inherit

.github/workflows/avm.res.network.service-endpoint-policy.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.network.service-endpoint-policy.yml"
       - "avm/res/network/service-endpoint-policy/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

.github/workflows/avm.res.recovery-services.vault.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.recovery-services.vault.yml"
       - "avm/res/recovery-services/vault/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

.github/workflows/avm.res.service-fabric.cluster.yml

@@ -29,6 +29,7 @@ on:
       - ".github/workflows/avm.res.service-fabric.cluster.yml"
       - "avm/res/service-fabric/cluster/**"
       - "avm/utilities/pipelines/**"
+      - "!avm/utilities/pipelines/platform/**"
       - "!*/**/README.md"
 
 env:

avm/res/aad/domain-service/README.md

@@ -56,7 +56,7 @@ module domainService 'br/public:avm/res/aad/domain-service:<version>' = {
         eventHubName: '<eventHubName>'
         logCategoriesAndGroups: [
           {
-            category: 'AllLogs'
+            categoryGroup: 'allLogs'
           }
         ]
         metricCategories: [
@@ -124,7 +124,7 @@ module domainService 'br/public:avm/res/aad/domain-service:<version>' = {
           "eventHubName": "<eventHubName>",
           "logCategoriesAndGroups": [
             {
-              "category": "AllLogs"
+              "categoryGroup": "allLogs"
             }
           ],
           "metricCategories": [

avm/res/aad/domain-service/main.json

@@ -5,8 +5,8 @@
   "metadata": {
     "_generator": {
       "name": "bicep",
-      "version": "0.25.53.49325",
-      "templateHash": "7386947428934165964"
+      "version": "0.26.54.24096",
+      "templateHash": "10683253750371964167"
     },
     "name": "Azure Active Directory Domain Services",
     "description": "This module deploys an Azure Active Directory Domain Services (AADDS).",

avm/res/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep

@@ -87,7 +87,7 @@ module testDeployment '../../../main.bicep' = {
         ]
         logCategoriesAndGroups: [
           {
-            category: 'AllLogs'
+            categoryGroup: 'allLogs'
           }
         ]
         storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId
@@ -155,7 +155,7 @@ module testDeploymentIdem '../../../main.bicep' = {
         ]
         logCategoriesAndGroups: [
           {
-            category: 'AllLogs'
+            categoryGroup: 'allLogs'
           }
         ]
         storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId

avm/res/automation/automation-account/README.md

@@ -1463,6 +1463,7 @@ Configuration details for private endpoints. For security reasons, it is recomme
 | [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. |
 | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if privateDnsZoneResourceIds were provided. |
 | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. |
+| [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. |
 | [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. |
 | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. |
 | [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. |
@@ -1665,6 +1666,13 @@ The private DNS zone groups to associate the private endpoint with. A DNS zone g
 - Required: No
 - Type: array
 
+### Parameter: `privateEndpoints.privateLinkServiceConnectionName`
+
+The name of the private link connection to create.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.resourceGroupName`
 
 Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.

avm/res/automation/automation-account/main.bicep

@@ -584,6 +584,9 @@ type privateEndpointType = {
   @description('Optional. The location to deploy the private endpoint to.')
   location: string?
 
+  @description('Optional. The name of the private link connection to create.')
+  privateLinkServiceConnectionName: string?
+
   @description('Required. The subresource to deploy the private endpoint for. For example "blob", "table", "queue" or "file".')
   service: string
 

avm/res/automation/automation-account/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.26.54.24096",
-      "templateHash": "6251765763506796385"
+      "templateHash": "16001446000186457588"
     },
     "name": "Automation Accounts",
     "description": "This module deploys an Azure Automation Account.",
@@ -146,6 +146,13 @@
               "description": "Optional. The location to deploy the private endpoint to."
             }
           },
+          "privateLinkServiceConnectionName": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The name of the private link connection to create."
+            }
+          },
           "service": {
             "type": "string",
             "metadata": {

avm/res/batch/batch-account/README.md

@@ -1093,6 +1093,7 @@ Configuration details for private endpoints. For security reasons, it is recomme
 | [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. |
 | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. |
 | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. |
+| [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. |
 | [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. |
 | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. |
 | [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. |
@@ -1295,6 +1296,13 @@ The private DNS zone groups to associate the private endpoint with. A DNS zone g
 - Required: No
 - Type: array
 
+### Parameter: `privateEndpoints.privateLinkServiceConnectionName`
+
+The name of the private link connection to create.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.resourceGroupName`
 
 Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.

avm/res/batch/batch-account/main.bicep

@@ -420,6 +420,9 @@ type privateEndpointType = {
   @description('Optional. The location to deploy the private endpoint to.')
   location: string?
 
+  @description('Optional. The name of the private link connection to create.')
+  privateLinkServiceConnectionName: string?
+
   @description('Required. The subresource to deploy the private endpoint for. For example "blob", "table", "queue" or "file".')
   service: string
 

avm/res/batch/batch-account/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.26.54.24096",
-      "templateHash": "6890367843750826610"
+      "templateHash": "11103817479788393007"
     },
     "name": "Batch Accounts",
     "description": "This module deploys a Batch Account.",
@@ -218,6 +218,13 @@
               "description": "Optional. The location to deploy the private endpoint to."
             }
           },
+          "privateLinkServiceConnectionName": {
+            "type": "string",
+            "nullable": true,
+            "metadata": {
+              "description": "Optional. The name of the private link connection to create."
+            }
+          },
           "service": {
             "type": "string",
             "metadata": {

avm/res/cache/redis/README.md

@@ -858,6 +858,7 @@ Configuration details for private endpoints. For security reasons, it is recomme
 | [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. |
 | [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. |
 | [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. |
+| [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. |
 | [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different resource group than the main resource. |
 | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. |
 | [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". |
@@ -1054,6 +1055,13 @@ The private DNS zone groups to associate the private endpoint with. A DNS zone g
 - Required: No
 - Type: array
 
+### Parameter: `privateEndpoints.privateLinkServiceConnectionName`
+
+The name of the private link connection to create.
+
+- Required: No
+- Type: string
+
 ### Parameter: `privateEndpoints.resourceGroupName`
 
 Specify if you want to deploy the Private Endpoint into a different resource group than the main resource.