From 0b83d8ab791b3bad1f6bb4f6cf0eb3b1bf36a82b Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sat, 17 Aug 2024 16:41:33 +0200 Subject: [PATCH 1/4] added trafficSelectorPolicies property --- avm/res/network/connection/README.md | 9 +++++++++ avm/res/network/connection/main.bicep | 4 ++++ avm/res/network/connection/main.json | 12 ++++++++++-- 3 files changed, 23 insertions(+), 2 deletions(-) diff --git a/avm/res/network/connection/README.md b/avm/res/network/connection/README.md index 918116f245..501da40d9b 100644 --- a/avm/res/network/connection/README.md +++ b/avm/res/network/connection/README.md @@ -333,6 +333,7 @@ module connection 'br/public:avm/res/network/connection:' = { | [`peer`](#parameter-peer) | object | The remote peer. Used for connection connectionType [ExpressRoute]. | | [`routingWeight`](#parameter-routingweight) | int | The weight added to routes learned from this BGP speaker. | | [`tags`](#parameter-tags) | object | Tags of the resource. | +| [`trafficSelectorPolicies`](#parameter-trafficselectorpolicies) | array | The traffic selector policies to be considered by this connection. | | [`useLocalAzureIpAddress`](#parameter-uselocalazureipaddress) | bool | Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. | | [`usePolicyBasedTrafficSelectors`](#parameter-usepolicybasedtrafficselectors) | bool | Enable policy-based traffic selectors. | | [`virtualNetworkGateway2`](#parameter-virtualnetworkgateway2) | object | The remote Virtual Network Gateway. Used for connection connectionType [Vnet2Vnet]. | @@ -542,6 +543,14 @@ Tags of the resource. - Required: No - Type: object +### Parameter: `trafficSelectorPolicies` + +The traffic selector policies to be considered by this connection. + +- Required: No +- Type: array +- Default: `[]` + ### Parameter: `useLocalAzureIpAddress` Use private local Azure IP for the connection. Only available for IPSec Virtual Network Gateways that use the Azure Private IP Property. diff --git a/avm/res/network/connection/main.bicep b/avm/res/network/connection/main.bicep index 7521aa229f..28078935b7 100644 --- a/avm/res/network/connection/main.bicep +++ b/avm/res/network/connection/main.bicep @@ -47,6 +47,9 @@ param dpdTimeoutSeconds int = 45 @description('Optional. Enable policy-based traffic selectors.') param usePolicyBasedTrafficSelectors bool = false +@description('Optional. The traffic selector policies to be considered by this connection.') +param trafficSelectorPolicies array = [] + @description('Optional. Bypass the ExpressRoute gateway when accessing private-links. ExpressRoute FastPath (expressRouteGatewayBypass) must be enabled. Only available when connection connectionType is Express Route.') param enablePrivateLinkFastPath bool = false @@ -132,6 +135,7 @@ resource connection 'Microsoft.Network/connections@2023-04-01' = { peer: connectionType == 'ExpressRoute' ? peer : null authorizationKey: connectionType == 'ExpressRoute' && !empty(authorizationKey) ? authorizationKey : null sharedKey: connectionType != 'ExpressRoute' ? vpnSharedKey : null + trafficSelectorPolicies: trafficSelectorPolicies usePolicyBasedTrafficSelectors: usePolicyBasedTrafficSelectors ipsecPolicies: !empty(customIPSecPolicy.ipsecEncryption) ? [ diff --git a/avm/res/network/connection/main.json b/avm/res/network/connection/main.json index f92bc886ea..ec725f9c35 100644 --- a/avm/res/network/connection/main.json +++ b/avm/res/network/connection/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.28.1.47646", - "templateHash": "16458068655280591810" + "version": "0.29.47.4906", + "templateHash": "13075925260036107325" }, "name": "Virtual Network Gateway Connections", "description": "This module deploys a Virtual Network Gateway Connection.", @@ -119,6 +119,13 @@ "description": "Optional. Enable policy-based traffic selectors." } }, + "trafficSelectorPolicies": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The traffic selector policies to be considered by this connection." + } + }, "enablePrivateLinkFastPath": { "type": "bool", "defaultValue": false, @@ -258,6 +265,7 @@ "peer": "[if(equals(parameters('connectionType'), 'ExpressRoute'), parameters('peer'), null())]", "authorizationKey": "[if(and(equals(parameters('connectionType'), 'ExpressRoute'), not(empty(parameters('authorizationKey')))), parameters('authorizationKey'), null())]", "sharedKey": "[if(not(equals(parameters('connectionType'), 'ExpressRoute')), parameters('vpnSharedKey'), null())]", + "trafficSelectorPolicies": "[parameters('trafficSelectorPolicies')]", "usePolicyBasedTrafficSelectors": "[parameters('usePolicyBasedTrafficSelectors')]", "ipsecPolicies": "[if(not(empty(parameters('customIPSecPolicy').ipsecEncryption)), createArray(createObject('saLifeTimeSeconds', parameters('customIPSecPolicy').saLifeTimeSeconds, 'saDataSizeKilobytes', parameters('customIPSecPolicy').saDataSizeKilobytes, 'ipsecEncryption', parameters('customIPSecPolicy').ipsecEncryption, 'ipsecIntegrity', parameters('customIPSecPolicy').ipsecIntegrity, 'ikeEncryption', parameters('customIPSecPolicy').ikeEncryption, 'ikeIntegrity', parameters('customIPSecPolicy').ikeIntegrity, 'dhGroup', parameters('customIPSecPolicy').dhGroup, 'pfsGroup', parameters('customIPSecPolicy').pfsGroup)), parameters('customIPSecPolicy').ipsecEncryption)]", "routingWeight": "[parameters('routingWeight')]", From e46692c663ea3e0140216f180e784512fefa7854 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Fri, 20 Sep 2024 19:49:30 +0200 Subject: [PATCH 2/4] updated test cases --- avm/res/network/nat-gateway/README.md | 65 +++++++++++++++++-- avm/res/network/nat-gateway/main.bicep | 4 +- avm/res/network/nat-gateway/main.json | 20 +++--- .../tests/e2e/existingPip/dependencies.bicep | 25 +++++++ .../tests/e2e/existingPip/main.test.bicep | 61 +++++++++++++++++ 5 files changed, 161 insertions(+), 14 deletions(-) create mode 100644 avm/res/network/nat-gateway/tests/e2e/existingPip/dependencies.bicep create mode 100644 avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep diff --git a/avm/res/network/nat-gateway/README.md b/avm/res/network/nat-gateway/README.md index 8c6358ff0c..58bbc91a55 100644 --- a/avm/res/network/nat-gateway/README.md +++ b/avm/res/network/nat-gateway/README.md @@ -32,8 +32,9 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) -- [Combine a generated and provided Public IP Prefix](#example-3-combine-a-generated-and-provided-public-ip-prefix) -- [WAF-aligned](#example-4-waf-aligned) +- [Using large parameter set](#example-3-using-large-parameter-set) +- [Combine a generated and provided Public IP Prefix](#example-4-combine-a-generated-and-provided-public-ip-prefix) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -92,6 +93,62 @@ module natGateway 'br/public:avm/res/network/nat-gateway:' = { This instance deploys the module with most of its features enabled. +
+ +via Bicep module + +```bicep +module natGateway 'br/public:avm/res/network/nat-gateway:' = { + name: 'natGatewayDeployment' + params: { + // Required parameters + name: 'nngepip001' + zone: 1 + // Non-required parameters + location: '' + publicIpResourceIds: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nngepip001" + }, + "zone": { + "value": 1 + }, + // Non-required parameters + "location": { + "value": "" + }, + "publicIpResourceIds": { + "value": "" + } + } +} +``` + +
+

+ +### Example 3: _Using large parameter set_ + +This instance deploys the module with most of its features enabled. + +

via Bicep module @@ -287,7 +344,7 @@ module natGateway 'br/public:avm/res/network/nat-gateway:' = {

-### Example 3: _Combine a generated and provided Public IP Prefix_ +### Example 4: _Combine a generated and provided Public IP Prefix_ This example shows how you can provide a Public IP Prefix to the module, while also generating one in the module. @@ -359,7 +416,7 @@ module natGateway 'br/public:avm/res/network/nat-gateway:' = {

-### Example 4: _WAF-aligned_ +### Example 5: _WAF-aligned_ This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. diff --git a/avm/res/network/nat-gateway/main.bicep b/avm/res/network/nat-gateway/main.bicep index 8836c815fe..f576caedd5 100644 --- a/avm/res/network/nat-gateway/main.bicep +++ b/avm/res/network/nat-gateway/main.bicep @@ -99,7 +99,7 @@ module publicIPAddresses 'br/public:avm/res/network/public-ip-address:0.5.1' = [ for (publicIPAddressObject, index) in (publicIPAddressObjects ?? []): { name: '${uniqueString(deployment().name, location)}-NatGw-PIP-${index}' params: { - name: contains(publicIPAddressObject, 'name') ? publicIPAddressObject.name : '${name}-pip' + name: publicIPAddressObject.?name ?? '${name}-pip' location: location lock: publicIPAddressObject.?lock ?? lock diagnosticSettings: publicIPAddressObject.?diagnosticSettings @@ -133,7 +133,7 @@ module publicIPPrefixes 'br/public:avm/res/network/public-ip-prefix:0.4.1' = [ for (publicIPPrefixObject, index) in (publicIPPrefixObjects ?? []): { name: '${uniqueString(deployment().name, location)}-NatGw-Prefix-PIP-${index}' params: { - name: contains(publicIPPrefixObject, 'name') ? publicIPPrefixObject.name : '${name}-pip' + name: publicIPPrefixObject.?name ?? '${name}-pip' location: location lock: publicIPPrefixObject.?lock ?? lock prefixLength: publicIPPrefixObject.prefixLength diff --git a/avm/res/network/nat-gateway/main.json b/avm/res/network/nat-gateway/main.json index 414a6e0129..588a626b30 100644 --- a/avm/res/network/nat-gateway/main.json +++ b/avm/res/network/nat-gateway/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "3430947452943320440" + "version": "0.30.3.12046", + "templateHash": "16462612640291787003" }, "name": "NAT Gateways", "description": "This module deploys a NAT Gateway.", @@ -308,7 +308,9 @@ }, "mode": "Incremental", "parameters": { - "name": "[if(contains(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('publicIPAddressObjects'), createArray())[copyIndex()], 'name'), format('{0}-pip', parameters('name')))]" + }, "location": { "value": "[parameters('location')]" }, @@ -1004,8 +1006,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15040145942768763519" + "version": "0.30.3.12046", + "templateHash": "9121047532434826411" } }, "parameters": { @@ -1050,7 +1052,9 @@ }, "mode": "Incremental", "parameters": { - "name": "[if(contains(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()].name), createObject('value', format('{0}-pip', parameters('name'))))]", + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('publicIPPrefixObjects'), createArray())[copyIndex()], 'name'), format('{0}-pip', parameters('name')))]" + }, "location": { "value": "[parameters('location')]" }, @@ -1416,8 +1420,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "15040145942768763519" + "version": "0.30.3.12046", + "templateHash": "9121047532434826411" } }, "parameters": { diff --git a/avm/res/network/nat-gateway/tests/e2e/existingPip/dependencies.bicep b/avm/res/network/nat-gateway/tests/e2e/existingPip/dependencies.bicep new file mode 100644 index 0000000000..d12b008b0c --- /dev/null +++ b/avm/res/network/nat-gateway/tests/e2e/existingPip/dependencies.bicep @@ -0,0 +1,25 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Public IP to create.') +param existingPipName string + +resource existingPip 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: existingPipName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } + zones: [ + '1' + '2' + '3' + ] +} + +@description('The resource ID of the existing Public IP.') +output existingPipResourceId string = existingPip.id diff --git a/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep new file mode 100644 index 0000000000..d506266a6c --- /dev/null +++ b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep @@ -0,0 +1,61 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.natgateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nngepip' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + existingPipName: '${namePrefix}${serviceShort}001-existingpip1' + + } +} + + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + location: resourceLocation + name: '${namePrefix}${serviceShort}001' + zone: 1 + publicIpResourceIds: [nestedDependencies.outputs.existingPipResourceId] + } + } +] From 671a83de4efc2303071ce99325ca47a7b628c681 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Sun, 22 Sep 2024 12:24:36 +0200 Subject: [PATCH 3/4] metadata and readme file updated --- avm/res/network/nat-gateway/README.md | 4 ++-- .../network/nat-gateway/tests/e2e/existingPip/main.test.bicep | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/avm/res/network/nat-gateway/README.md b/avm/res/network/nat-gateway/README.md index 58bbc91a55..fbe22509f6 100644 --- a/avm/res/network/nat-gateway/README.md +++ b/avm/res/network/nat-gateway/README.md @@ -31,7 +31,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br/public:avm/res/network/nat-gateway:`. - [Using only defaults](#example-1-using-only-defaults) -- [Using large parameter set](#example-2-using-large-parameter-set) +- [Using an existing Public IP](#example-2-using-an-existing-public-ip) - [Using large parameter set](#example-3-using-large-parameter-set) - [Combine a generated and provided Public IP Prefix](#example-4-combine-a-generated-and-provided-public-ip-prefix) - [WAF-aligned](#example-5-waf-aligned) @@ -88,7 +88,7 @@ module natGateway 'br/public:avm/res/network/nat-gateway:' = {

-### Example 2: _Using large parameter set_ +### Example 2: _Using an existing Public IP_ This instance deploys the module with most of its features enabled. diff --git a/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep index d506266a6c..61c4de06cc 100644 --- a/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep +++ b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep @@ -1,6 +1,6 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' +metadata name = 'Using an existing Public IP' metadata description = 'This instance deploys the module with most of its features enabled.' // ========== // From 802bbfb170e239882491158ed5455f7fe74d1d03 Mon Sep 17 00:00:00 2001 From: Fabio Masciotra Date: Mon, 23 Sep 2024 10:22:14 +0200 Subject: [PATCH 4/4] updated metadata description --- avm/res/network/nat-gateway/README.md | 2 +- .../network/nat-gateway/tests/e2e/existingPip/main.test.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/avm/res/network/nat-gateway/README.md b/avm/res/network/nat-gateway/README.md index fbe22509f6..d12c7b26f7 100644 --- a/avm/res/network/nat-gateway/README.md +++ b/avm/res/network/nat-gateway/README.md @@ -90,7 +90,7 @@ module natGateway 'br/public:avm/res/network/nat-gateway:' = { ### Example 2: _Using an existing Public IP_ -This instance deploys the module with most of its features enabled. +This instance deploys the module using an existing Public IP address.

diff --git a/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep index 61c4de06cc..1b13848208 100644 --- a/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep +++ b/avm/res/network/nat-gateway/tests/e2e/existingPip/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' metadata name = 'Using an existing Public IP' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata description = 'This instance deploys the module using an existing Public IP address.' // ========== // // Parameters //