From 25637dd7e99109276a984e6ea1620cbc80fb0922 Mon Sep 17 00:00:00 2001 From: hundredacres Date: Mon, 25 Nov 2024 14:37:08 -0800 Subject: [PATCH] feat: Adding support for enabling ingestion-only. (#3840) ## Description Added support for enabling ingestion-only. Updated API to latest stable version. Fixes #3682 Closes #3682 ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.purview.account](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml/badge.svg?branch=feat%2Fissues%2F3682)](https://github.com/hundredacres/bicep-registry-modules/actions/workflows/avm.res.purview.account.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [X] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [X] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [X] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [X] I'm sure there are no other open Pull Requests for the same update/change - [X] I have run `Set-AVMModule` locally to generate the supporting module files. - [X] My corresponding pipelines / checks run clean and green without any errors or warnings --- avm/res/purview/account/README.md | 114 +++++++++++++++++- avm/res/purview/account/main.bicep | 20 ++- avm/res/purview/account/main.json | 36 +++++- .../tests/e2e/ingestion-only/main.test.bicep | 52 ++++++++ avm/res/purview/account/version.json | 4 +- 5 files changed, 213 insertions(+), 13 deletions(-) create mode 100644 avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep diff --git a/avm/res/purview/account/README.md b/avm/res/purview/account/README.md index 1abd9cda78..af03ada137 100644 --- a/avm/res/purview/account/README.md +++ b/avm/res/purview/account/README.md @@ -20,7 +20,7 @@ This module deploys a Purview Account. | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) | | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) | -| `Microsoft.Purview/accounts` | [2021-07-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-07-01/accounts) | +| `Microsoft.Purview/accounts` | [2021-12-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Purview/2021-12-01/accounts) | ## Usage examples @@ -31,8 +31,9 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/res/purview/account:`. - [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) -- [WAF-aligned](#example-3-waf-aligned) +- [Public network access disabled for Purview managed resources](#example-2-public-network-access-disabled-for-purview-managed-resources) +- [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -98,7 +99,76 @@ param location = ''

-### Example 2: _Using large parameter set_ +### Example 2: _Public network access disabled for Purview managed resources_ + +This instance deploys the module with public network access disabled for Purview managed resources. + + +

+ +via Bicep module + +```bicep +module account 'br/public:avm/res/purview/account:' = { + name: 'accountDeployment' + params: { + // Required parameters + name: 'pvaing001' + // Non-required parameters + location: '' + managedResourcesPublicNetworkAccess: 'Disabled' + } +} +``` + +
+

+ +

+ +via JSON parameters file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "pvaing001" + }, + // Non-required parameters + "location": { + "value": "" + }, + "managedResourcesPublicNetworkAccess": { + "value": "Disabled" + } + } +} +``` + +
+

+ +

+ +via Bicep parameters file + +```bicep-params +using 'br/public:avm/res/purview/account:' + +// Required parameters +param name = 'pvaing001' +// Non-required parameters +param location = '' +param managedResourcesPublicNetworkAccess = 'Disabled' +``` + +
+

+ +### Example 3: _Using large parameter set_ This instance deploys the module with most of its features enabled. @@ -663,7 +733,7 @@ param tags = {

-### Example 3: _WAF-aligned_ +### Example 4: _WAF-aligned_ This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. @@ -1003,8 +1073,10 @@ param tags = { | [`eventHubPrivateEndpoints`](#parameter-eventhubprivateendpoints) | array | Configuration details for Purview Managed Event Hub namespace private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'namespace'. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`managedEventHubState`](#parameter-managedeventhubstate) | string | The state of the managed Event Hub. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`managedResourceGroupName`](#parameter-managedresourcegroupname) | string | The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'. | +| [`managedResourcesPublicNetworkAccess`](#parameter-managedresourcespublicnetworkaccess) | string | Whether or not public network access is allowed for managed resources. | | [`portalPrivateEndpoints`](#parameter-portalprivateendpoints) | array | Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | @@ -2039,6 +2111,22 @@ Specify the name of lock. - Required: No - Type: string +### Parameter: `managedEventHubState` + +The state of the managed Event Hub. + +- Required: No +- Type: string +- Default: `'Enabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'NotSpecified' + ] + ``` + ### Parameter: `managedIdentities` The managed identity definition for this resource. @@ -2067,6 +2155,22 @@ The Managed Resource Group Name. A managed Storage Account, and an Event Hubs wi - Type: string - Default: `[format('managed-rg-{0}', parameters('name'))]` +### Parameter: `managedResourcesPublicNetworkAccess` + +Whether or not public network access is allowed for managed resources. + +- Required: No +- Type: string +- Default: `'NotSpecified'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + 'NotSpecified' + ] + ``` + ### Parameter: `portalPrivateEndpoints` Configuration details for Purview Portal private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. Make sure the service property is set to 'portal'. diff --git a/avm/res/purview/account/main.bicep b/avm/res/purview/account/main.bicep index e3ec79f296..2e04c91aef 100644 --- a/avm/res/purview/account/main.bicep +++ b/avm/res/purview/account/main.bicep @@ -17,9 +17,25 @@ import { managedIdentityOnlyUserAssignedType } from 'br/public:avm/utl/types/avm @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentityOnlyUserAssignedType? +@description('Optional. The state of the managed Event Hub.') +@allowed([ + 'Enabled' + 'Disabled' + 'NotSpecified' +]) +param managedEventHubState string = 'Enabled' + @description('Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is \'managed-rg-\'.') param managedResourceGroupName string = 'managed-rg-${name}' +@description('Optional. Whether or not public network access is allowed for managed resources.') +@allowed([ + 'Enabled' + 'Disabled' + 'NotSpecified' +]) +param managedResourcesPublicNetworkAccess string = 'NotSpecified' + @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ 'Enabled' @@ -114,14 +130,16 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT } } -resource account 'Microsoft.Purview/accounts@2021-07-01' = { +resource account 'Microsoft.Purview/accounts@2021-12-01' = { name: name location: location tags: tags identity: identity properties: { cloudConnectors: {} + managedEventHubState: managedEventHubState managedResourceGroupName: managedResourceGroupName + managedResourcesPublicNetworkAccess: managedResourcesPublicNetworkAccess publicNetworkAccess: publicNetworkAccess } } diff --git a/avm/res/purview/account/main.json b/avm/res/purview/account/main.json index 20e38c94f8..019e5d5c55 100644 --- a/avm/res/purview/account/main.json +++ b/avm/res/purview/account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6120060466877826337" + "version": "0.31.92.45157", + "templateHash": "18280782395141983115" }, "name": "Purview Accounts", "description": "This module deploys a Purview Account.", @@ -503,6 +503,18 @@ "description": "Optional. The managed identity definition for this resource." } }, + "managedEventHubState": { + "type": "string", + "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled", + "NotSpecified" + ], + "metadata": { + "description": "Optional. The state of the managed Event Hub." + } + }, "managedResourceGroupName": { "type": "string", "defaultValue": "[format('managed-rg-{0}', parameters('name'))]", @@ -510,6 +522,18 @@ "description": "Optional. The Managed Resource Group Name. A managed Storage Account, and an Event Hubs will be created in the selected subscription for catalog ingestion scenarios. Default is 'managed-rg-'." } }, + "managedResourcesPublicNetworkAccess": { + "type": "string", + "defaultValue": "NotSpecified", + "allowedValues": [ + "Enabled", + "Disabled", + "NotSpecified" + ], + "metadata": { + "description": "Optional. Whether or not public network access is allowed for managed resources." + } + }, "publicNetworkAccess": { "type": "string", "defaultValue": "NotSpecified", @@ -622,14 +646,16 @@ }, "account": { "type": "Microsoft.Purview/accounts", - "apiVersion": "2021-07-01", + "apiVersion": "2021-12-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "properties": { "cloudConnectors": {}, + "managedEventHubState": "[parameters('managedEventHubState')]", "managedResourceGroupName": "[parameters('managedResourceGroupName')]", + "managedResourcesPublicNetworkAccess": "[parameters('managedResourcesPublicNetworkAccess')]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]" } }, @@ -4568,7 +4594,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('account', '2021-07-01', 'full').location]" + "value": "[reference('account', '2021-12-01', 'full').location]" }, "managedResourceGroupName": { "type": "string", @@ -4603,7 +4629,7 @@ "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[coalesce(tryGet(tryGet(reference('account', '2021-07-01', 'full'), 'identity'), 'principalId'), '')]" + "value": "[coalesce(tryGet(tryGet(reference('account', '2021-12-01', 'full'), 'identity'), 'principalId'), '')]" }, "accountPrivateEndpoints": { "type": "array", diff --git a/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep b/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep new file mode 100644 index 0000000000..c51f3ef6fb --- /dev/null +++ b/avm/res/purview/account/tests/e2e/ingestion-only/main.test.bicep @@ -0,0 +1,52 @@ +targetScope = 'subscription' + +metadata name = 'Public network access disabled for Purview managed resources' +metadata description = 'This instance deploys the module with public network access disabled for Purview managed resources.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pvaing' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// Set to fixed location as the RP function returns unsupported locations +// Right now (2024/07) the following locations are supported: uksouth +param enforcedLocation string = 'uksouth' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + scope: resourceGroup + params: { + name: '${namePrefix}${serviceShort}001' + location: enforcedLocation + managedResourcesPublicNetworkAccess: 'Disabled' + } + } +] diff --git a/avm/res/purview/account/version.json b/avm/res/purview/account/version.json index a8eda31021..9ed3662aba 100644 --- a/avm/res/purview/account/version.json +++ b/avm/res/purview/account/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", + "version": "0.6", "pathFilters": [ "./main.json" ] -} \ No newline at end of file +}