Skip to content

Commit

Permalink
Merge branch 'Azure:main' into main
Browse files Browse the repository at this point in the history
  • Loading branch information
AlexanderSehr authored Nov 10, 2023
2 parents cb39086 + cba2cc5 commit 89eac40
Show file tree
Hide file tree
Showing 91 changed files with 396 additions and 330 deletions.
4 changes: 4 additions & 0 deletions avm/res/batch/batch-account/ORPHANED.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,4 @@
⚠️THIS MODULE IS CURRENTLY ORPHANED.⚠️

- Only security and bug fixes are being handled by the AVM core team at present.
- If interested in becoming the module owner of this orphaned module (must be Microsoft FTE), please look for the related "orphaned module" GitHub issue [here](https://aka.ms/AVM/OrphanedModules)!
122 changes: 62 additions & 60 deletions avm/res/batch/batch-account/README.md
Original file line number Diff line number Diff line change
@@ -1,5 +1,10 @@
# Batch Accounts `[Microsoft.Batch/batchAccounts]`

> ⚠️THIS MODULE IS CURRENTLY ORPHANED.⚠️
>
> - Only security and bug fixes are being handled by the AVM core team at present.
> - If interested in becoming the module owner of this orphaned module (must be Microsoft FTE), please look for the related "orphaned module" GitHub issue [here](https://aka.ms/AVM/OrphanedModules)!
This module deploys a Batch Account.

## Navigation
Expand Down Expand Up @@ -58,7 +63,7 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
location: '<location>'
lock: '<lock>'
managedIdentities: '<managedIdentities>'
networkProfileAllowedIpRanges: '<networkProfileAllowedIpRanges>'
networkProfile: '<networkProfile>'
privateEndpoints: '<privateEndpoints>'
roleAssignments: '<roleAssignments>'
storageAccessIdentityResourceId: '<storageAccessIdentityResourceId>'
Expand Down Expand Up @@ -108,8 +113,8 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
"managedIdentities": {
"value": "<managedIdentities>"
},
"networkProfileAllowedIpRanges": {
"value": "<networkProfileAllowedIpRanges>"
"networkProfile": {
"value": "<networkProfile>"
},
"privateEndpoints": {
"value": "<privateEndpoints>"
Expand Down Expand Up @@ -147,25 +152,17 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
name: 'bbaencr001'
storageAccountId: '<storageAccountId>'
// Non-required parameters
allowedAuthenticationModes: '<allowedAuthenticationModes>'
customerManagedKey: {
keyName: '<keyName>'
keyVaultResourceId: '<keyVaultResourceId>'
}
diagnosticSettings: '<diagnosticSettings>'
keyVaultReferenceResourceId: '<keyVaultReferenceResourceId>'
location: '<location>'
lock: '<lock>'
managedIdentities: {
userAssignedResourcesIds: [
'<managedIdentityResourceId>'
]
}
networkProfileAllowedIpRanges: '<networkProfileAllowedIpRanges>'
poolAllocationMode: 'BatchService'
privateEndpoints: '<privateEndpoints>'
roleAssignments: '<roleAssignments>'
storageAccessIdentityResourceId: '<storageAccessIdentityResourceId>'
storageAuthenticationMode: 'BatchAccountManagedIdentity'
tags: {
'hidden-title': 'This is visible in the resource name'
Expand Down Expand Up @@ -194,49 +191,25 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
"value": "<storageAccountId>"
},
// Non-required parameters
"allowedAuthenticationModes": {
"value": "<allowedAuthenticationModes>"
},
"customerManagedKey": {
"value": {
"keyName": "<keyName>",
"keyVaultResourceId": "<keyVaultResourceId>"
}
},
"diagnosticSettings": {
"value": "<diagnosticSettings>"
},
"keyVaultReferenceResourceId": {
"value": "<keyVaultReferenceResourceId>"
},
"location": {
"value": "<location>"
},
"lock": {
"value": "<lock>"
},
"managedIdentities": {
"value": {
"userAssignedResourcesIds": [
"<managedIdentityResourceId>"
]
}
},
"networkProfileAllowedIpRanges": {
"value": "<networkProfileAllowedIpRanges>"
},
"poolAllocationMode": {
"value": "BatchService"
},
"privateEndpoints": {
"value": "<privateEndpoints>"
},
"roleAssignments": {
"value": "<roleAssignments>"
},
"storageAccessIdentityResourceId": {
"value": "<storageAccessIdentityResourceId>"
},
"storageAuthenticationMode": {
"value": "BatchAccountManagedIdentity"
},
Expand Down Expand Up @@ -289,7 +262,19 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
managedIdentities: {
systemAssigned: true
}
networkProfileAllowedIpRanges: '<networkProfileAllowedIpRanges>'
networkProfile: {
accountAccess: {
allowedIpRules: [
'40.74.28.0/23'
]
defaultAction: 'Deny'
}
nodeManagementAccess: {
allowedIpRules: [
'40.74.28.0/23'
]
}
}
poolAllocationMode: 'BatchService'
privateEndpoints: [
{
Expand Down Expand Up @@ -383,8 +368,20 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
"systemAssigned": true
}
},
"networkProfileAllowedIpRanges": {
"value": "<networkProfileAllowedIpRanges>"
"networkProfile": {
"value": {
"accountAccess": {
"allowedIpRules": [
"40.74.28.0/23"
],
"defaultAction": "Deny"
},
"nodeManagementAccess": {
"allowedIpRules": [
"40.74.28.0/23"
]
}
}
},
"poolAllocationMode": {
"value": "BatchService"
Expand Down Expand Up @@ -476,7 +473,7 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
managedIdentities: {
systemAssigned: true
}
networkProfileAllowedIpRanges: '<networkProfileAllowedIpRanges>'
networkProfile: '<networkProfile>'
poolAllocationMode: 'BatchService'
privateEndpoints: [
{
Expand Down Expand Up @@ -551,8 +548,8 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
"systemAssigned": true
}
},
"networkProfileAllowedIpRanges": {
"value": "<networkProfileAllowedIpRanges>"
"networkProfile": {
"value": "<networkProfile>"
},
"poolAllocationMode": {
"value": "BatchService"
Expand Down Expand Up @@ -617,11 +614,10 @@ module batchAccount 'br/public:avm/res/batch/batch-account:<version>' = {
| [`location`](#parameter-location) | string | Location for all Resources. |
| [`lock`](#parameter-lock) | object | The lock settings of the service. |
| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
| [`networkProfileAllowedIpRanges`](#parameter-networkprofileallowedipranges) | array | Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled. |
| [`networkProfileDefaultAction`](#parameter-networkprofiledefaultaction) | string | The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled. |
| [`networkProfile`](#parameter-networkprofile) | object | Network access profile. It is only applicable when publicNetworkAccess is not explicitly disabled. |
| [`poolAllocationMode`](#parameter-poolallocationmode) | string | The allocation mode for creating pools in the Batch account. Determines which quota will be used. |
| [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. |
| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set. |
| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfile is not set. |
| [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. |
| [`storageAccessIdentityResourceId`](#parameter-storageaccessidentityresourceid) | string | The resource ID of a user assigned identity assigned to pools which have compute nodes that need access to auto-storage. |
| [`storageAuthenticationMode`](#parameter-storageauthenticationmode) | string | The authentication mode which the Batch service will use to manage the auto-storage account. |
Expand Down Expand Up @@ -869,25 +865,31 @@ Name of the Azure Batch.
- Required: Yes
- Type: string

### Parameter: `networkProfileAllowedIpRanges`
### Parameter: `networkProfile`

Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled.
Network access profile. It is only applicable when publicNetworkAccess is not explicitly disabled.
- Required: No
- Type: array
- Type: object

### Parameter: `networkProfileDefaultAction`

The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled.
| Name | Required | Type | Description |
| :-- | :-- | :--| :-- |
| [`accountAccess`](#parameter-networkprofileaccountaccess) | No | object | Optional. Network access profile for batchAccount endpoint (Batch account data plane API). |
| [`nodeManagementAccess`](#parameter-networkprofilenodemanagementaccess) | No | object | Optional. Network access profile for nodeManagement endpoint (Batch service managing compute nodes for Batch pools). |

### Parameter: `networkProfile.accountAccess`

Optional. Network access profile for batchAccount endpoint (Batch account data plane API).

- Required: No
- Type: string
- Default: `'Deny'`
- Allowed:
```Bicep
[
'Allow'
'Deny'
]
```
- Type: object

### Parameter: `networkProfile.nodeManagementAccess`

Optional. Network access profile for nodeManagement endpoint (Batch service managing compute nodes for Batch pools).

- Required: No
- Type: object

### Parameter: `poolAllocationMode`

Expand Down Expand Up @@ -1073,7 +1075,7 @@ Optional. Tags to be applied on all resources/resource groups in this deployment

### Parameter: `publicNetworkAccess`

Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set.
Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfile is not set.
- Required: No
- Type: string
- Default: `''`
Expand Down Expand Up @@ -1203,4 +1205,4 @@ This section gives you an overview of all local-referenced module files (i.e., o

| Reference | Type |
| :-- | :-- |
| `br/public:avm-res-network-privateendpoint:0.1.1` | Remote reference |
| `br/public:avm/res/network/private-endpoint:0.2.0` | Remote reference |
62 changes: 40 additions & 22 deletions avm/res/batch/batch-account/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -34,23 +34,16 @@ param keyVaultReferenceResourceId string?
@description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
param privateEndpoints privateEndpointType

@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfileAllowedIpRanges are not set.')
@description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set and networkProfile is not set.')
@allowed([
''
'Enabled'
'Disabled'
])
param publicNetworkAccess string = ''

@allowed([
'Allow'
'Deny'
])
@description('Optional. The network profile default action for endpoint access. It is only applicable when publicNetworkAccess is not explicitly disabled.')
param networkProfileDefaultAction string = 'Deny'

@description('Optional. Array of IP ranges to filter client IP address. It is only applicable when publicNetworkAccess is not explicitly disabled.')
param networkProfileAllowedIpRanges array?
@description('Optional. Network access profile. It is only applicable when publicNetworkAccess is not explicitly disabled.')
param networkProfile networkProfileType

@description('Optional. The lock settings of the service.')
param lock lockType
Expand Down Expand Up @@ -87,9 +80,14 @@ var identity = !empty(managedIdentities) ? {
userAssignedIdentities: !empty(formattedUserAssignedIdentities) ? formattedUserAssignedIdentities : null
} : null

var networkProfileIpRules = [for networkProfileAllowedIpRange in (networkProfileAllowedIpRanges ?? []): {
var accountAccessNetworkProfileIpRules = [for allowedIpRule in networkProfile.?accountAccess.?allowedIpRules ?? []: {
action: 'Allow'
value: networkProfileAllowedIpRange
value: allowedIpRule
}]

var nodeManagementAccessNetworkProfileIpRules = [for allowedIpRule in networkProfile.?nodeManagementAccess.?allowedIpRules ?? []: {
action: 'Allow'
value: allowedIpRule
}]

var builtInRoleNames = {
Expand Down Expand Up @@ -156,14 +154,18 @@ resource batchAccount 'Microsoft.Batch/batchAccounts@2022-06-01' = {
id: batchKeyVaultReference.id
url: batchKeyVaultReference.properties.vaultUri
} : null
networkProfile: (publicNetworkAccess == 'Disabled') || empty(networkProfileAllowedIpRanges ?? []) ? null : {
accountAccess: {
defaultAction: networkProfileDefaultAction
ipRules: networkProfileIpRules
}
}
networkProfile: !empty(networkProfile ?? {}) ? {
accountAccess: !empty(accountAccessNetworkProfileIpRules) ? {
defaultAction: networkProfile.?accountAccess.?defaultAction ?? 'Deny'
ipRules: accountAccessNetworkProfileIpRules
} : null
nodeManagementAccess: !empty(nodeManagementAccessNetworkProfileIpRules) ? {
defaultAction: networkProfile.?nodeManagementAccess.?defaultAction ?? 'Deny'
ipRules: nodeManagementAccessNetworkProfileIpRules
} : null
} : null
poolAllocationMode: poolAllocationMode
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : ((!empty(privateEndpoints ?? []) && empty(networkProfileAllowedIpRanges ?? [])) ? 'Disabled' : null)
publicNetworkAccess: !empty(publicNetworkAccess) ? any(publicNetworkAccess) : ((!empty(privateEndpoints ?? []) && empty(networkProfile ?? [])) ? 'Disabled' : null)
}
}

Expand Down Expand Up @@ -202,7 +204,7 @@ resource batchAccount_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@
scope: batchAccount
}]

module batchAccount_privateEndpoints 'br/public:avm-res-network-privateendpoint:0.1.1' = [for (privateEndpoint, index) in (privateEndpoints ?? []): {
module batchAccount_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.2.0' = [for (privateEndpoint, index) in (privateEndpoints ?? []): {
name: '${uniqueString(deployment().name, location)}-BatchAccount-PrivateEndpoint-${index}'
params: {
groupIds: [
Expand Down Expand Up @@ -279,7 +281,7 @@ type diagnosticSettingType = {
}[]?

@description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.')
logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics' | null)?
logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')?

@description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.')
workspaceResourceId: string?
Expand All @@ -305,7 +307,7 @@ type roleAssignmentType = {
principalId: string

@description('Optional. The principal type of the assigned principal ID.')
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device' | null)?
principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')?

@description('Optional. The description of the role assignment.')
description: string?
Expand Down Expand Up @@ -401,3 +403,19 @@ type lockType = {
@description('Optional. Specify the type of lock.')
kind: ('CanNotDelete' | 'ReadOnly' | 'None')?
}?

type networkProfileType = {
@description('Optional. Network access profile for batchAccount endpoint (Batch account data plane API).')
accountAccess: endpointAccessProfileType?

@description('Optional. Network access profile for nodeManagement endpoint (Batch service managing compute nodes for Batch pools).')
nodeManagementAccess: endpointAccessProfileType?
}?

type endpointAccessProfileType = {
@description('Optional. Default action for endpoint access. If not specified, defaults to Deny.')
defaultAction: ('Allow' | 'Deny')?

@description('Optional. Array of IP ranges to filter client IP address.')
allowedIpRules: array?
}?
Loading

0 comments on commit 89eac40

Please sign in to comment.