Azure · fbinotto · Jun 10, 2024 · May 29, 2024 · Jun 4, 2024 · Jun 4, 2024
@@ -645,19 +645,26 @@ module netAppAccount 'br/public:avm/res/net-app/net-app-account:<version>' = {
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`aesEncryption`](#parameter-aesEncryption) | bool | Enable AES encryption on the SMB Server. |
 | [`capacityPools`](#parameter-capacitypools) | array | Capacity pools to create. |
 | [`dnsServers`](#parameter-dnsservers) | string | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. |
 | [`domainJoinOU`](#parameter-domainjoinou) | string | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). |
 | [`domainJoinPassword`](#parameter-domainjoinpassword) | securestring | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. |
 | [`domainJoinUser`](#parameter-domainjoinuser) | string | Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. |
 | [`domainName`](#parameter-domainname) | string | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). |
+| [`keyName`](#parameter-keyName) | string | The key name to use for encryption. |
+| [`keySource`](#parameter-keySource) | string | The key source Microsoft.Keyvault for CMK or Microsoft Managed Key (default). |
+| [`keyVaultResourceId`](#parameter-keyVaultResourceId) | string | The keyvault resource Id to use for encryption. |
+| [`keyVaultUri`](#parameter-keyVaultUri) | string | The keyvault URI to use for encryption. |
 | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. |
+| [`ldapSigning`](#parameter-ldapSigning) | bool | Specifies whether or not the LDAP traffic needs to be signed. |
 | [`location`](#parameter-location) | string | Location for all resources. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
 | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. |
 | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. |
 | [`smbServerNamePrefix`](#parameter-smbservernameprefix) | string | Required if domainName is specified. NetBIOS name of the SMB server. A computer account with this prefix will be registered in the AD and used to mount volumes. |
 | [`tags`](#parameter-tags) | object | Tags for all resources. |
+`
 
 ### Parameter: `name`
 
@@ -666,6 +673,14 @@ The name of the NetApp account.
 - Required: Yes
 - Type: string
 
+### Parameter: `aesEncryption`
+
+Enable AES encryption on the SMB Server.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `capacityPools`
 
 Capacity pools to create.
@@ -722,6 +737,46 @@ Enable/Disable usage telemetry for module.
 - Type: bool
 - Default: `True`
 
+### Parameter: `keyName`
+
+The key name to use for encryption
+
+- Required: No
+- Type: string
+- Default: `''`
+
+### Parameter: `keySource`
+
+The key source Microsoft.Keyvault for CMK or Microsoft Managed Key (default)
+
+- Required: No
+- Type: string
+- Default: `''`
+
+### Parameter: `keyVaultResourceId`
+
+The keyvault resource Id to use for encryption
+
+- Required: No
+- Type: string
+- Default: `''`
+
+### Parameter: `keyVaultUri`
+
+The keyvault URI to use for encryption
+
+- Required: No
+- Type: string
+- Default: `''`
+
+### Parameter: `ldapSigning`
+
+Specifies whether or not the LDAP traffic needs to be signed.
+
+- Required: No
+- Type: bool
+- Default: `False`
+
 ### Parameter: `location`
 
 Location for all resources.

@@ -5,6 +5,9 @@ metadata owner = 'Azure/module-maintainers'
 @description('Required. The name of the NetApp account.')
 param name string
 
+@description('Optional. Enable AES encryption on the SMB Server.')
+param aesEncryption bool = false
+
 @description('Optional. Fully Qualified Active Directory DNS Domain Name (e.g. \'contoso.com\').')
 param domainName string = ''
 
@@ -33,6 +36,21 @@ param managedIdentities managedIdentitiesType
 @description('Optional. Array of role assignments to create.')
 param roleAssignments roleAssignmentType
 
+@description('Optional. The key name to use for encryption.')
+param keyName string
+
+@description('Optional. The key source Microsoft.Keyvault for CMK or Microsoft Managed Key (default).')
+param keySource string
+
+@description('Optional. The key vault resource ID to use for encryption.')
+param keyVaultResourceId string
+
+@description('Optional. The key vault URI to use for encryption.')
+param keyVaultUri string
+
+@description('Optional. Specifies whether or not the LDAP traffic needs to be signed.')
+param ldapSigning bool = false
+
 @description('Optional. Location for all resources.')
 param location string = resourceGroup().location
 
@@ -47,15 +65,29 @@ param enableTelemetry bool = true
 
 var activeDirectoryConnectionProperties = [
   {
+    aesEncryption: !empty(domainName) ? aesEncryption : false
     username: !empty(domainName) ? domainJoinUser : null
     password: !empty(domainName) ? domainJoinPassword : null
     domain: !empty(domainName) ? domainName : null
     dns: !empty(domainName) ? dnsServers : null
+    ldapSigning: !empty(domainName) ? ldapSigning : false
     smbServerName: !empty(domainName) ? smbServerNamePrefix : null
     organizationalUnit: !empty(domainJoinOU) ? domainJoinOU : null
   }
 ]
 
+var encryptionProperties = {
+  identity: {
+    userAssignedIdentity: !empty(managedIdentities) ? managedIdentities.userAssignedResourceIds[0] : null
+  }
+  keySource: !empty(keySource) ? 'Microsoft.KeyVault' : 'Microsoft.NetApp'
+  keyVaultProperties: {
+    keyName: !empty(keySource) ? keyName : null
+    keyVaultResourceId: !empty(keySource) ? keyVaultResourceId : null
+    keyVaultUri: !empty(keySource) ? keyVaultUri : null
+  }
+}
+
 var formattedUserAssignedIdentities = reduce(
   map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }),
   {},
@@ -83,24 +115,23 @@ var builtInRoleNames = {
   )
 }
 
-resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' =
-  if (enableTelemetry) {
-    name: '46d3xbcp.res.netapp-netappaccount.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
-    properties: {
-      mode: 'Incremental'
-      template: {
-        '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
-        contentVersion: '1.0.0.0'
-        resources: []
-        outputs: {
-          telemetry: {
-            type: 'String'
-            value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
-          }
+resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) {
+  name: '46d3xbcp.res.netapp-netappaccount.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}'
+  properties: {
+    mode: 'Incremental'
+    template: {
+      '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#'
+      contentVersion: '1.0.0.0'
+      resources: []
+      outputs: {
+        telemetry: {
+          type: 'String'
+          value: 'For more information, see https://aka.ms/avm/TelemetryInfo'
         }
       }
     }
   }
+}
 
 resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = {
   name: name
@@ -109,20 +140,20 @@ resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = {
   location: location
   properties: {
     activeDirectories: !empty(domainName) ? activeDirectoryConnectionProperties : null
+    encryption: !empty(managedIdentities) ? encryptionProperties : null
   }
 }
 
-resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' =
-  if (!empty(lock ?? {}) && lock.?kind != 'None') {
-    name: lock.?name ?? 'lock-${name}'
-    properties: {
-      level: lock.?kind ?? ''
-      notes: lock.?kind == 'CanNotDelete'
-        ? 'Cannot delete resource or child resources.'
-        : 'Cannot delete or modify the resource or child resources.'
-    }
-    scope: netAppAccount
+resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') {
+  name: lock.?name ?? 'lock-${name}'
+  properties: {
+    level: lock.?kind ?? ''
+    notes: lock.?kind == 'CanNotDelete'
+      ? 'Cannot delete resource or child resources.'
+      : 'Cannot delete or modify the resource or child resources.'
   }
+  scope: netAppAccount
+}
 
 resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [
   for (roleAssignment, index) in (roleAssignments ?? []): {

@@ -127,6 +127,13 @@
         "description": "Required. The name of the NetApp account."
       }
     },
+    "aesEncryption": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Enable AES encryption on the SMB Server."
+      }
+    },
     "domainName": {
       "type": "string",
       "defaultValue": "",
@@ -188,6 +195,41 @@
         "description": "Optional. Array of role assignments to create."
       }
     },
+    "keyName": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional. The name of the key to use for encryption."
+      }
+    },
+    "keySource": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional. The name of the key to use for encryption."
+      }
+    },
+    "keyVaultResourceId": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional. The resource ID of the key vault to use for encryption."
+      }
+    },
+    "keyVaultUri": {
+      "type": "string",
+      "defaultValue": "",
+      "metadata": {
+        "description": "Optional. The URI of the key vault to use for encryption."
+      }
+    },
+    "ldapSigning": {
+      "type": "bool",
+      "defaultValue": false,
+      "metadata": {
+        "description": "Optional. Specifies whether or not the LDAP traffic needs to be signed."
+      }
+    },
     "location": {
       "type": "string",
       "defaultValue": "[resourceGroup().location]",
@@ -224,7 +266,16 @@
         "domain": "[if(not(empty(parameters('domainName'))), parameters('domainName'), null())]",
         "dns": "[if(not(empty(parameters('domainName'))), parameters('dnsServers'), null())]",
         "smbServerName": "[if(not(empty(parameters('domainName'))), parameters('smbServerNamePrefix'), null())]",
-        "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]"
+        "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]",
+        "aesEncryption": "[if(not(empty(parameters('aesEncryption))), parameters('aesEncryption), false)]",
+        "ldapSigning": "[if(not(empty(parameters('ldapSigning))), parameters('ldapSigning), false)]"
+      }
+    ],
+    "encryptionProperties": [
+      {
+        "keyName": "[if(not(empty(parameters('keyName'))), parameters('keyName'), null())]",
+        "keyVaultResourceId": "[if(not(empty(parameters('keyVaultResourceId'))), parameters('keyVaultResourceId'), null())]",
+        "keyVaultUri": "[if(not(empty(parameters('keyVaultUri'))), parameters('keyVaultUri'), null())]"
       }
     ],
     "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]",