Add networkRuleSetType

avm/res/search/search-service/README.md

@@ -255,6 +255,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
       ]
     }
     networkRuleSet: {
+      bypass: 'AzurePortal'
       ipRules: [
         {
           value: '40.74.28.0/23'
@@ -364,6 +365,7 @@ module searchService 'br/public:avm/res/search/search-service:<version>' = {
     },
     "networkRuleSet": {
       "value": {
+        "bypass": "AzurePortal",
         "ipRules": [
           {
             "value": "40.74.28.0/23"
@@ -465,6 +467,7 @@ param managedIdentities = {
   ]
 }
 param networkRuleSet = {
+  bypass: 'AzurePortal'
   ipRules: [
     {
       value: '40.74.28.0/23'
@@ -1311,7 +1314,47 @@ Network specific rules that determine how the Azure Cognitive Search service may
 
 - Required: No
 - Type: object
-- Default: `{}`
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`bypass`](#parameter-networkrulesetbypass) | string | Network specific rules that determine how the Azure AI Search service may be reached. |
+| [`ipRules`](#parameter-networkrulesetiprules) | array | A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method. |
+
+### Parameter: `networkRuleSet.bypass`
+
+Network specific rules that determine how the Azure AI Search service may be reached.
+
+- Required: No
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'AzurePortal'
+    'None'
+  ]
+  ```
+
+### Parameter: `networkRuleSet.ipRules`
+
+A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.
+
+- Required: No
+- Type: array
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`value`](#parameter-networkrulesetiprulesvalue) | string | Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed. |
+
+### Parameter: `networkRuleSet.ipRules.value`
+
+Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.
+
+- Required: Yes
+- Type: string
 
 ### Parameter: `partitionCount`
 

avm/res/search/search-service/main.bicep

@@ -41,7 +41,7 @@ import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.3.0'
 param lock lockType?
 
 @description('Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached.')
-param networkRuleSet object = {}
+param networkRuleSet networkRuleSetType?
 
 @description('Optional. The number of partitions in the search service; if specified, it can be 1, 2, 3, 4, 6, or 12. Values greater than 1 are only valid for standard SKUs. For \'standard3\' services with hostingMode set to \'highDensity\', the allowed values are between 1 and 3.')
 @minValue(1)
@@ -417,3 +417,17 @@ type authOptionsType = {
   @description('Optional. Indicates that only the API key can be used for authentication.')
   apiKeyOnly: object?
 }
+
+@export()
+type networkRuleSetType = {
+  @description('Optional. Network specific rules that determine how the Azure AI Search service may be reached.')
+  bypass: ('AzurePortal' | 'None')?
+  @description('Optional. A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the \'publicNetworkAccess\' of the search service is \'enabled\'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method.')
+  ipRules: ipRuleType[]?
+}
+
+@export()
+type ipRuleType = {
+  @description('Required. Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed.')
+  value: string
+}

avm/res/search/search-service/main.json

@@ -6,7 +6,7 @@
     "_generator": {
       "name": "bicep",
       "version": "0.31.34.60546",
-      "templateHash": "13395116650895577306"
+      "templateHash": "13439052311737641230"
     },
     "name": "Search Services",
     "description": "This module deploys a Search Service.",
@@ -83,6 +83,49 @@
         "__bicep_export!": true
       }
     },
+    "networkRuleSetType": {
+      "type": "object",
+      "properties": {
+        "bypass": {
+          "type": "string",
+          "allowedValues": [
+            "AzurePortal",
+            "None"
+          ],
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. Network specific rules that determine how the Azure AI Search service may be reached."
+          }
+        },
+        "ipRules": {
+          "type": "array",
+          "items": {
+            "$ref": "#/definitions/ipRuleType"
+          },
+          "nullable": true,
+          "metadata": {
+            "description": "Optional. A list of IP restriction rules that defines the inbound network(s) with allowing access to the search service endpoint. At the meantime, all other public IP networks are blocked by the firewall. These restriction rules are applied only when the 'publicNetworkAccess' of the search service is 'enabled'; otherwise, traffic over public interface is not allowed even with any public IP rules, and private endpoint connections would be the exclusive access method."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
+    "ipRuleType": {
+      "type": "object",
+      "properties": {
+        "value": {
+          "type": "string",
+          "metadata": {
+            "description": "Required. Value corresponding to a single IPv4 address (eg., 123.1.2.3) or an IP range in CIDR format (eg., 123.1.2.3/24) to be allowed."
+          }
+        }
+      },
+      "metadata": {
+        "__bicep_export!": true
+      }
+    },
     "_1.privateEndpointCustomDnsConfigType": {
       "type": "object",
       "properties": {
@@ -678,8 +721,8 @@
       }
     },
     "networkRuleSet": {
-      "type": "object",
-      "defaultValue": {},
+      "$ref": "#/definitions/networkRuleSetType",
+      "nullable": true,
       "metadata": {
         "description": "Optional. Network specific rules that determine how the Azure Cognitive Search service may be reached."
       }

avm/res/search/search-service/tests/e2e/max/main.test.bicep

@@ -111,6 +111,7 @@ module testDeployment '../../../main.bicep' = [
         }
       ]
       networkRuleSet: {
+        bypass: 'AzurePortal'
         ipRules: [
           {
             value: '40.74.28.0/23'