From 4f9dd767c4190f68acb84fafad38995b4de8557e Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Wed, 18 Dec 2024 16:10:27 -0800 Subject: [PATCH 1/7] Adding support for advancedThreatProtection, which enables Defender. Updated network configs to support publicNetworkAccess and updated max and private tests --- .../db-for-my-sql/flexible-server/README.md | 82 +++++++++++++++++++ .../advanced-threat-protection/README.md | 34 ++++++++ .../advanced-threat-protection/main.bicep | 18 ++++ .../advanced-threat-protection/main.json | 32 ++++++++ .../db-for-my-sql/flexible-server/main.bicep | 24 ++++-- .../db-for-my-sql/flexible-server/main.json | 74 ++++++++++++++++- .../tests/e2e/max/main.test.bicep | 7 +- .../tests/e2e/private/main.test.bicep | 17 ++++ 8 files changed, 275 insertions(+), 13 deletions(-) create mode 100644 avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md create mode 100644 avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep create mode 100644 avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json diff --git a/avm/res/db-for-my-sql/flexible-server/README.md b/avm/res/db-for-my-sql/flexible-server/README.md index 344c4a5670..e35b12d8fb 100644 --- a/avm/res/db-for-my-sql/flexible-server/README.md +++ b/avm/res/db-for-my-sql/flexible-server/README.md @@ -19,6 +19,7 @@ This module deploys a DBforMySQL Flexible Server. | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.DBforMySQL/flexibleServers` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers) | | `Microsoft.DBforMySQL/flexibleServers/administrators` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/administrators) | +| `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers/advancedThreatProtectionSettings) | | `Microsoft.DBforMySQL/flexibleServers/databases` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/databases) | | `Microsoft.DBforMySQL/flexibleServers/firewallRules` | [2023-06-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-06-30/flexibleServers/firewallRules) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | @@ -145,6 +146,7 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: // Non-required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' + advancedThreatProtectionEnabled: true availabilityZone: '1' backupRetentionDays: 20 customerManagedKey: { @@ -211,6 +213,7 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: '' ] } + publicNetworkAccess: 'Enabled' roleAssignments: [ { name: '2478b63b-0cae-457f-9bd3-9feb00e1925b' @@ -273,6 +276,9 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: "administratorLoginPassword": { "value": "" }, + "advancedThreatProtectionEnabled": { + "value": true + }, "availabilityZone": { "value": "1" }, @@ -363,6 +369,9 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: ] } }, + "publicNetworkAccess": { + "value": "Enabled" + }, "roleAssignments": { "value": [ { @@ -427,6 +436,7 @@ param tier = 'GeneralPurpose' // Non-required parameters param administratorLogin = 'adminUserName' param administratorLoginPassword = '' +param advancedThreatProtectionEnabled = true param availabilityZone = '1' param backupRetentionDays = 20 param customerManagedKey = { @@ -493,6 +503,7 @@ param managedIdentities = { '' ] } +param publicNetworkAccess = 'Enabled' param roleAssignments = [ { name: '2478b63b-0cae-457f-9bd3-9feb00e1925b' @@ -561,6 +572,23 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: } ] delegatedSubnetResourceId: '' + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + { + endIpAddress: '10.10.10.10' + name: 'test-rule1' + startIpAddress: '10.10.10.1' + } + { + endIpAddress: '100.100.100.10' + name: 'test-rule2' + startIpAddress: '100.100.100.1' + } + ] highAvailability: 'SameZone' location: '' managedIdentities: { @@ -628,6 +656,25 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: "delegatedSubnetResourceId": { "value": "" }, + "firewallRules": { + "value": [ + { + "endIpAddress": "0.0.0.0", + "name": "AllowAllWindowsAzureIps", + "startIpAddress": "0.0.0.0" + }, + { + "endIpAddress": "10.10.10.10", + "name": "test-rule1", + "startIpAddress": "10.10.10.1" + }, + { + "endIpAddress": "100.100.100.10", + "name": "test-rule2", + "startIpAddress": "100.100.100.1" + } + ] + }, "highAvailability": { "value": "SameZone" }, @@ -691,6 +738,23 @@ param databases = [ } ] param delegatedSubnetResourceId = '' +param firewallRules = [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + { + endIpAddress: '10.10.10.10' + name: 'test-rule1' + startIpAddress: '10.10.10.1' + } + { + endIpAddress: '100.100.100.10' + name: 'test-rule2' + startIpAddress: '100.100.100.1' + } +] param highAvailability = 'SameZone' param location = '' param managedIdentities = { @@ -870,6 +934,7 @@ param tags = { | [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the MySQL server is being created. | | [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | +| [`advancedThreatProtectionEnabled`](#parameter-advancedthreatprotectionenabled) | bool | Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server. | | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | | [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | | [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | @@ -886,6 +951,7 @@ param tags = { | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`maintenanceWindow`](#parameter-maintenancewindow) | object | Properties for the maintenence window. If provided, "customWindow" property must exist and set to "Enabled". | +| [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration. | | [`replicationRole`](#parameter-replicationrole) | string | The replication role. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`storageAutoIoScaling`](#parameter-storageautoioscaling) | string | Enable IO Auto Scaling or not. The server scales IOPs up or down automatically depending on your workload needs. | @@ -1006,6 +1072,14 @@ The Azure AD administrators when AAD authentication enabled. - Type: array - Default: `[]` +### Parameter: `advancedThreatProtectionEnabled` + +Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server. + +- Required: No +- Type: bool +- Default: `True` + ### Parameter: `availabilityZone` Availability zone information of the server. Default will have no preference set. @@ -1415,6 +1489,14 @@ Properties for the maintenence window. If provided, "customWindow" property must - Type: object - Default: `{}` +### Parameter: `publicNetworkAccess` + +Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration. + +- Required: No +- Type: string +- Default: `'Disabled'` + ### Parameter: `replicationRole` The replication role. diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md new file mode 100644 index 0000000000..2ad1c43217 --- /dev/null +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -0,0 +1,34 @@ +# DBforMySQL Flexible Server Advanced Threat Protection `[Microsoft.DBforMySQL/flexibleServers]` + +This module enables Advanced Threat Protection for DBforMySQL Flexible Server. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings` | [2023-12-30](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DBforMySQL/2023-12-30/flexibleServers/advancedThreatProtectionSettings) | + +## Parameters + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. | + +### Parameter: `flexibleServerName` + +The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +## Outputs + +_None_ diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep new file mode 100644 index 0000000000..84656d275e --- /dev/null +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep @@ -0,0 +1,18 @@ +metadata name = 'DBforMySQL Flexible Server Advanced Threat Protection' +metadata description = 'This module enables Advanced Threat Protection for DBforMySQL Flexible Server.' +metadata owner = 'Azure/module-maintainers' + +@description('Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment.') +param flexibleServerName string + +resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' existing = { + name: flexibleServerName +} + +resource advancedThreatProtection 'Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings@2023-12-30' = { + parent: flexibleServer + name: 'Default' + properties: { + state: 'Enabled' + } +} diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json new file mode 100644 index 0000000000..fce2673013 --- /dev/null +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json @@ -0,0 +1,32 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.31.92.45157", + "templateHash": "13311310515375264841" + }, + "name": "DBforMySQL Flexible Server Advanced Threat Protection", + "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "flexibleServerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings", + "apiVersion": "2023-12-30", + "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'Default')]", + "properties": { + "state": "Enabled" + } + } + ] +} \ No newline at end of file diff --git a/avm/res/db-for-my-sql/flexible-server/main.bicep b/avm/res/db-for-my-sql/flexible-server/main.bicep index f6439ed413..8656ec884d 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/main.bicep @@ -97,6 +97,9 @@ param delegatedSubnetResourceId string = '' @description('Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server.') param privateDnsZoneResourceId string = '' +@description('Optional. Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration.') +param publicNetworkAccess string = 'Disabled' + @description('Conditional. Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore".') param restorePointInTime string = '' @@ -159,6 +162,9 @@ param databases array = [] @description('Optional. The firewall rules to create in the MySQL flexible server.') param firewallRules array = [] +@description('Optional. Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server.') +param advancedThreatProtectionEnabled bool = true + import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? @@ -324,12 +330,11 @@ resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { startMinute: maintenanceWindow.customWindow == 'Enabled' ? maintenanceWindow.startMinute : 0 } : null - network: !empty(delegatedSubnetResourceId) && empty(firewallRules) - ? { - delegatedSubnetResourceId: delegatedSubnetResourceId - privateDnsZoneResourceId: privateDnsZoneResourceId - } - : null + network: { + delegatedSubnetResourceId: !empty(delegatedSubnetResourceId) ? delegatedSubnetResourceId : null + privateDnsZoneResourceId: !empty(privateDnsZoneResourceId) ? privateDnsZoneResourceId : null + publicNetworkAccess: publicNetworkAccess + } replicationRole: replicationRole restorePointInTime: restorePointInTime sourceServerResourceId: !empty(sourceServerResourceId) ? sourceServerResourceId : null @@ -407,6 +412,13 @@ module flexibleServer_administrators 'administrator/main.bicep' = [ } ] +module flexibleServer_advancedThreatProtection 'advanced-threat-protection/main.bicep' = if (advancedThreatProtectionEnabled) { + name: '${uniqueString(deployment().name, location)}-MySQL-AdvancedThreatProtection' + params: { + flexibleServerName: flexibleServer.name + } +} + resource flexibleServer_diagnosticSettings 'Microsoft.Insights/diagnosticSettings@2021-05-01-preview' = [ for (diagnosticSetting, index) in (diagnosticSettings ?? []): { name: diagnosticSetting.?name ?? '${name}-diagnosticSettings' diff --git a/avm/res/db-for-my-sql/flexible-server/main.json b/avm/res/db-for-my-sql/flexible-server/main.json index 2977b47912..52856578d5 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.json +++ b/avm/res/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.31.92.45157", - "templateHash": "17625741196665765886" + "templateHash": "3089772420646844780" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -472,6 +472,13 @@ "description": "Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is \"Private Access\". Required if \"delegatedSubnetResourceId\" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server." } }, + "publicNetworkAccess": { + "type": "string", + "defaultValue": "Disabled", + "metadata": { + "description": "Optional. Specifies whether public network access is allowed for this server. Set to \"Enabled\" to allow public access, or \"Disabled\" (default) when the server has VNet integration." + } + }, "restorePointInTime": { "type": "string", "defaultValue": "", @@ -574,6 +581,13 @@ "description": "Optional. The firewall rules to create in the MySQL flexible server." } }, + "advancedThreatProtectionEnabled": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server." + } + }, "roleAssignments": { "type": "array", "items": { @@ -734,7 +748,11 @@ "standbyAvailabilityZone": "[variables('standByAvailabilityZone')]" }, "maintenanceWindow": "[if(not(empty(parameters('maintenanceWindow'))), createObject('customWindow', parameters('maintenanceWindow').customWindow, 'dayOfWeek', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').dayOfWeek, 0), 'startHour', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startHour, 0), 'startMinute', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startMinute, 0)), null())]", - "network": "[if(and(not(empty(parameters('delegatedSubnetResourceId'))), empty(parameters('firewallRules'))), createObject('delegatedSubnetResourceId', parameters('delegatedSubnetResourceId'), 'privateDnsZoneResourceId', parameters('privateDnsZoneResourceId')), null())]", + "network": { + "delegatedSubnetResourceId": "[if(not(empty(parameters('delegatedSubnetResourceId'))), parameters('delegatedSubnetResourceId'), null())]", + "privateDnsZoneResourceId": "[if(not(empty(parameters('privateDnsZoneResourceId'))), parameters('privateDnsZoneResourceId'), null())]", + "publicNetworkAccess": "[parameters('publicNetworkAccess')]" + }, "replicationRole": "[parameters('replicationRole')]", "restorePointInTime": "[parameters('restorePointInTime')]", "sourceServerResourceId": "[if(not(empty(parameters('sourceServerResourceId'))), parameters('sourceServerResourceId'), null())]", @@ -1162,6 +1180,58 @@ "dependsOn": [ "flexibleServer" ] + }, + "flexibleServer_advancedThreatProtection": { + "condition": "[parameters('advancedThreatProtectionEnabled')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-MySQL-AdvancedThreatProtection', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "flexibleServerName": { + "value": "[parameters('name')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.31.92.45157", + "templateHash": "13311310515375264841" + }, + "name": "DBforMySQL Flexible Server Advanced Threat Protection", + "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "flexibleServerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." + } + } + }, + "resources": [ + { + "type": "Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings", + "apiVersion": "2023-12-30", + "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'Default')]", + "properties": { + "state": "Enabled" + } + } + ] + } + }, + "dependsOn": [ + "flexibleServer" + ] } }, "outputs": { diff --git a/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep b/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep index f7cee60fd5..5a6119803d 100644 --- a/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep +++ b/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep @@ -123,6 +123,7 @@ module testDeployment '../../../main.bicep' = [ } administratorLogin: 'adminUserName' administratorLoginPassword: password + advancedThreatProtectionEnabled: true skuName: 'Standard_D2ads_v5' tier: 'GeneralPurpose' storageAutoIoScaling: 'Enabled' @@ -140,6 +141,7 @@ module testDeployment '../../../main.bicep' = [ collation: 'ascii_general_ci' } ] + publicNetworkAccess: 'Enabled' firewallRules: [ { endIpAddress: '0.0.0.0' @@ -192,10 +194,5 @@ module testDeployment '../../../main.bicep' = [ } ] } - dependsOn: [ - nestedDependencies1 - nestedDependencies2 - diagnosticDependencies - ] } ] diff --git a/avm/res/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep b/avm/res/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep index 022d81ac27..22cfd4ed92 100644 --- a/avm/res/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep +++ b/avm/res/db-for-my-sql/flexible-server/tests/e2e/private/main.test.bicep @@ -64,6 +64,23 @@ module testDeployment '../../../main.bicep' = [ tier: 'GeneralPurpose' delegatedSubnetResourceId: nestedDependencies.outputs.subnetResourceId privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + { + endIpAddress: '10.10.10.10' + name: 'test-rule1' + startIpAddress: '10.10.10.1' + } + { + endIpAddress: '100.100.100.10' + name: 'test-rule2' + startIpAddress: '100.100.100.1' + } + ] storageAutoIoScaling: 'Enabled' storageSizeGB: 64 storageIOPS: 400 From 92a6b3625963a28456264c597070daf6fd2ebe72 Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Wed, 18 Dec 2024 16:17:16 -0800 Subject: [PATCH 2/7] Adding outputs to module --- .../advanced-threat-protection/README.md | 6 +++- .../advanced-threat-protection/main.bicep | 9 ++++++ .../advanced-threat-protection/main.json | 27 +++++++++++++++-- .../db-for-my-sql/flexible-server/main.json | 29 +++++++++++++++++-- 4 files changed, 65 insertions(+), 6 deletions(-) diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md index 2ad1c43217..fc4f6feb70 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -31,4 +31,8 @@ The name of the parent DBforMySQL flexible server. Required if the template is u ## Outputs -_None_ +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed administrator. | +| `resourceGroupName` | string | The resource group of the deployed administrator. | +| `resourceId` | string | The resource ID of the deployed administrator. | diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep index 84656d275e..5c166ebc02 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep @@ -16,3 +16,12 @@ resource advancedThreatProtection 'Microsoft.DBforMySQL/flexibleServers/advanced state: 'Enabled' } } + +@description('The name of the deployed administrator.') +output name string = advancedThreatProtection.name + +@description('The resource ID of the deployed administrator.') +output resourceId string = advancedThreatProtection.id + +@description('The resource group of the deployed administrator.') +output resourceGroupName string = resourceGroup().name diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json index fce2673013..c6879ef3c7 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.31.92.45157", - "templateHash": "13311310515375264841" + "templateHash": "13331351712651770256" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -28,5 +28,28 @@ "state": "Enabled" } } - ] + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed administrator." + }, + "value": "Default" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed administrator." + }, + "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings', parameters('flexibleServerName'), 'Default')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed administrator." + }, + "value": "[resourceGroup().name]" + } + } } \ No newline at end of file diff --git a/avm/res/db-for-my-sql/flexible-server/main.json b/avm/res/db-for-my-sql/flexible-server/main.json index 52856578d5..3771cb4352 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.json +++ b/avm/res/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.31.92.45157", - "templateHash": "3089772420646844780" + "templateHash": "8634983587450509246" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -1203,7 +1203,7 @@ "_generator": { "name": "bicep", "version": "0.31.92.45157", - "templateHash": "13311310515375264841" + "templateHash": "13331351712651770256" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -1226,7 +1226,30 @@ "state": "Enabled" } } - ] + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed administrator." + }, + "value": "Default" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed administrator." + }, + "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings', parameters('flexibleServerName'), 'Default')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed administrator." + }, + "value": "[resourceGroup().name]" + } + } } }, "dependsOn": [ From b84abf88c4e4cf33a130305636672f71fa96f0e7 Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Wed, 18 Dec 2024 16:28:00 -0800 Subject: [PATCH 3/7] Updating bicep version --- .../flexible-server/administrator/main.json | 4 +- .../advanced-threat-protection/README.md | 6 +-- .../advanced-threat-protection/main.bicep | 6 +-- .../advanced-threat-protection/main.json | 10 ++--- .../flexible-server/database/main.json | 4 +- .../flexible-server/firewall-rule/main.json | 4 +- .../db-for-my-sql/flexible-server/main.json | 42 ++++++++----------- 7 files changed, 34 insertions(+), 42 deletions(-) diff --git a/avm/res/db-for-my-sql/flexible-server/administrator/main.json b/avm/res/db-for-my-sql/flexible-server/administrator/main.json index 1d5728e3c8..26e55a60f1 100644 --- a/avm/res/db-for-my-sql/flexible-server/administrator/main.json +++ b/avm/res/db-for-my-sql/flexible-server/administrator/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "15901602668303039143" + "version": "0.32.4.45862", + "templateHash": "4183350849272759957" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md index fc4f6feb70..27a242415c 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -33,6 +33,6 @@ The name of the parent DBforMySQL flexible server. Required if the template is u | Output | Type | Description | | :-- | :-- | :-- | -| `name` | string | The name of the deployed administrator. | -| `resourceGroupName` | string | The resource group of the deployed administrator. | -| `resourceId` | string | The resource ID of the deployed administrator. | +| `name` | string | The name of the deployed threat protection. | +| `resourceGroupName` | string | The resource group of the deployed threat protection. | +| `resourceId` | string | The resource ID of the deployed threat protection. | diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep index 5c166ebc02..0a7ccb8c44 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep @@ -17,11 +17,11 @@ resource advancedThreatProtection 'Microsoft.DBforMySQL/flexibleServers/advanced } } -@description('The name of the deployed administrator.') +@description('The name of the deployed threat protection.') output name string = advancedThreatProtection.name -@description('The resource ID of the deployed administrator.') +@description('The resource ID of the deployed threat protection.') output resourceId string = advancedThreatProtection.id -@description('The resource group of the deployed administrator.') +@description('The resource group of the deployed threat protection.') output resourceGroupName string = resourceGroup().name diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json index c6879ef3c7..04403918b3 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "13331351712651770256" + "version": "0.32.4.45862", + "templateHash": "15590569630188816024" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -33,21 +33,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the deployed administrator." + "description": "The name of the deployed threat protection." }, "value": "Default" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed administrator." + "description": "The resource ID of the deployed threat protection." }, "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings', parameters('flexibleServerName'), 'Default')]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group of the deployed administrator." + "description": "The resource group of the deployed threat protection." }, "value": "[resourceGroup().name]" } diff --git a/avm/res/db-for-my-sql/flexible-server/database/main.json b/avm/res/db-for-my-sql/flexible-server/database/main.json index 08802bdb19..4a4c439adb 100644 --- a/avm/res/db-for-my-sql/flexible-server/database/main.json +++ b/avm/res/db-for-my-sql/flexible-server/database/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "8816099454149448745" + "version": "0.32.4.45862", + "templateHash": "8629575611448952116" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", diff --git a/avm/res/db-for-my-sql/flexible-server/firewall-rule/main.json b/avm/res/db-for-my-sql/flexible-server/firewall-rule/main.json index 298c0d86a0..0be4a5415f 100644 --- a/avm/res/db-for-my-sql/flexible-server/firewall-rule/main.json +++ b/avm/res/db-for-my-sql/flexible-server/firewall-rule/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "10309431502079210011" + "version": "0.32.4.45862", + "templateHash": "11891154534022239824" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", diff --git a/avm/res/db-for-my-sql/flexible-server/main.json b/avm/res/db-for-my-sql/flexible-server/main.json index 3771cb4352..43100f8e63 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.json +++ b/avm/res/db-for-my-sql/flexible-server/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "8634983587450509246" + "version": "0.32.4.45862", + "templateHash": "2853200309432890008" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -649,10 +649,7 @@ "apiVersion": "2023-02-01", "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKKeyVault" - ] + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]" }, "cMKGeoKeyVault::cMKKey": { "condition": "[and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKeyGeo'), 'keyName')))))]", @@ -661,10 +658,7 @@ "apiVersion": "2023-02-01", "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '//'), '/')[2]]", "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), '////'), '/')[4]]", - "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyName'), 'dummyKey'))]", - "dependsOn": [ - "cMKGeoKeyVault" - ] + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKeyGeo'), 'keyName'), 'dummyKey'))]" }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", @@ -765,10 +759,8 @@ "version": "[parameters('version')]" }, "dependsOn": [ - "cMKGeoKeyVault", - "cMKGeoUserAssignedIdentity", - "cMKKeyVault", - "cMKUserAssignedIdentity" + "cMKKeyVault::cMKKey", + "cMKGeoKeyVault::cMKKey" ] }, "flexibleServer_lock": { @@ -881,8 +873,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "8816099454149448745" + "version": "0.32.4.45862", + "templateHash": "8629575611448952116" }, "name": "DBforMySQL Flexible Server Databases", "description": "This module deploys a DBforMySQL Flexible Server Database.", @@ -989,8 +981,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "10309431502079210011" + "version": "0.32.4.45862", + "templateHash": "11891154534022239824" }, "name": "DBforMySQL Flexible Server Firewall Rules", "description": "This module deploys a DBforMySQL Flexible Server Firewall Rule.", @@ -1098,8 +1090,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "15901602668303039143" + "version": "0.32.4.45862", + "templateHash": "4183350849272759957" }, "name": "DBforMySQL Flexible Server Administrators", "description": "This module deploys a DBforMySQL Flexible Server Administrator.", @@ -1202,8 +1194,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.92.45157", - "templateHash": "13331351712651770256" + "version": "0.32.4.45862", + "templateHash": "15590569630188816024" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -1231,21 +1223,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the deployed administrator." + "description": "The name of the deployed threat protection." }, "value": "Default" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed administrator." + "description": "The resource ID of the deployed threat protection." }, "value": "[resourceId('Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings', parameters('flexibleServerName'), 'Default')]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group of the deployed administrator." + "description": "The resource group of the deployed threat protection." }, "value": "[resourceGroup().name]" } From 98684a2b1b67328c5b558f8c2fed874844b96c3b Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Wed, 18 Dec 2024 17:19:39 -0800 Subject: [PATCH 4/7] Updating version --- avm/res/db-for-my-sql/flexible-server/version.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/avm/res/db-for-my-sql/flexible-server/version.json b/avm/res/db-for-my-sql/flexible-server/version.json index a8eda31021..9ed3662aba 100644 --- a/avm/res/db-for-my-sql/flexible-server/version.json +++ b/avm/res/db-for-my-sql/flexible-server/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.5", + "version": "0.6", "pathFilters": [ "./main.json" ] -} \ No newline at end of file +} From b815daddf4cb669ba59e0767372a6678fa36449f Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Thu, 19 Dec 2024 15:32:55 -0800 Subject: [PATCH 5/7] Running Set-AVMModule --- avm/res/db-for-my-sql/flexible-server/README.md | 4 ++++ .../flexible-server/advanced-threat-protection/README.md | 1 + 2 files changed, 5 insertions(+) diff --git a/avm/res/db-for-my-sql/flexible-server/README.md b/avm/res/db-for-my-sql/flexible-server/README.md index b31ffb858f..e26dbcc7c6 100644 --- a/avm/res/db-for-my-sql/flexible-server/README.md +++ b/avm/res/db-for-my-sql/flexible-server/README.md @@ -1090,6 +1090,7 @@ Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the serve - Required: No - Type: bool +- Nullable: No - Default: `True` ### Parameter: `availabilityZone` @@ -1625,7 +1626,10 @@ Specifies whether public network access is allowed for this server. Set to "Enab - Required: No - Type: string +- Nullable: No - Default: `'Disabled'` +- MinValue: 1 +- MaxValue: 35 ### Parameter: `replicationRole` diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md index 27a242415c..a1d4f919b8 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -28,6 +28,7 @@ The name of the parent DBforMySQL flexible server. Required if the template is u - Required: Yes - Type: string +- Nullable: No ## Outputs From ff642eef9d03305a531da9aef5d36e087b867de8 Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Fri, 20 Dec 2024 09:55:28 -0800 Subject: [PATCH 6/7] Updating child module to allow passing of param to disable/enable AdvancedThreatPRotection --- .../db-for-my-sql/flexible-server/README.md | 20 +++++++-------- .../advanced-threat-protection/README.md | 15 ++++++++++- .../advanced-threat-protection/main.bicep | 11 +++++--- .../advanced-threat-protection/main.json | 11 ++++++-- .../db-for-my-sql/flexible-server/main.bicep | 7 +++--- .../db-for-my-sql/flexible-server/main.json | 25 +++++++++++++------ .../tests/e2e/max/main.test.bicep | 2 +- 7 files changed, 61 insertions(+), 30 deletions(-) diff --git a/avm/res/db-for-my-sql/flexible-server/README.md b/avm/res/db-for-my-sql/flexible-server/README.md index 7c775811ca..3483fcd4b1 100644 --- a/avm/res/db-for-my-sql/flexible-server/README.md +++ b/avm/res/db-for-my-sql/flexible-server/README.md @@ -146,7 +146,7 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: // Non-required parameters administratorLogin: 'adminUserName' administratorLoginPassword: '' - advancedThreatProtectionEnabled: true + advancedThreatProtection: 'Enabled' availabilityZone: '1' backupRetentionDays: 20 customerManagedKey: { @@ -276,8 +276,8 @@ module flexibleServer 'br/public:avm/res/db-for-my-sql/flexible-server: "administratorLoginPassword": { "value": "" }, - "advancedThreatProtectionEnabled": { - "value": true + "advancedThreatProtection": { + "value": "Enabled" }, "availabilityZone": { "value": "1" @@ -436,7 +436,7 @@ param tier = 'GeneralPurpose' // Non-required parameters param administratorLogin = 'adminUserName' param administratorLoginPassword = '' -param advancedThreatProtectionEnabled = true +param advancedThreatProtection = 'Enabled' param availabilityZone = '1' param backupRetentionDays = 20 param customerManagedKey = { @@ -934,7 +934,7 @@ param tags = { | [`administratorLogin`](#parameter-administratorlogin) | string | The administrator login name of a server. Can only be specified when the MySQL server is being created. | | [`administratorLoginPassword`](#parameter-administratorloginpassword) | securestring | The administrator login password. | | [`administrators`](#parameter-administrators) | array | The Azure AD administrators when AAD authentication enabled. | -| [`advancedThreatProtectionEnabled`](#parameter-advancedthreatprotectionenabled) | bool | Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server. | +| [`advancedThreatProtection`](#parameter-advancedthreatprotection) | string | Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server. | | [`availabilityZone`](#parameter-availabilityzone) | string | Availability zone information of the server. Default will have no preference set. | | [`backupRetentionDays`](#parameter-backupretentiondays) | int | Backup retention days for the server. | | [`createMode`](#parameter-createmode) | string | The mode to create a new MySQL server. | @@ -1072,14 +1072,13 @@ The Azure AD administrators when AAD authentication enabled. - Type: array - Default: `[]` -### Parameter: `advancedThreatProtectionEnabled` +### Parameter: `advancedThreatProtection` -Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server. +Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server. - Required: No -- Type: bool -- Nullable: No -- Default: `True` +- Type: string +- Default: `'Enabled'` ### Parameter: `availabilityZone` @@ -1574,7 +1573,6 @@ Specifies whether public network access is allowed for this server. Set to "Enab - Required: No - Type: string -- Nullable: No - Default: `'Disabled'` - MinValue: 1 - MaxValue: 35 diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md index a1d4f919b8..e11c26d95e 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -22,13 +22,26 @@ This module enables Advanced Threat Protection for DBforMySQL Flexible Server. | :-- | :-- | :-- | | [`flexibleServerName`](#parameter-flexibleservername) | string | The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. | +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`advancedThreatProtection`](#parameter-advancedthreatprotection) | string | The state of the advanced threat protection. | + ### Parameter: `flexibleServerName` The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment. - Required: Yes - Type: string -- Nullable: No + +### Parameter: `advancedThreatProtection` + +The state of the advanced threat protection. + +- Required: No +- Type: string +- Default: `'Enabled'` ## Outputs diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep index 0a7ccb8c44..b379b66dcc 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep @@ -5,23 +5,26 @@ metadata owner = 'Azure/module-maintainers' @description('Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment.') param flexibleServerName string +@description('Optional. The state of the advanced threat protection.') +param advancedThreatProtection string = 'Enabled' + resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' existing = { name: flexibleServerName } -resource advancedThreatProtection 'Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings@2023-12-30' = { +resource advancedThreatProtectionSettings 'Microsoft.DBforMySQL/flexibleServers/advancedThreatProtectionSettings@2023-12-30' = { parent: flexibleServer name: 'Default' properties: { - state: 'Enabled' + state: advancedThreatProtection } } @description('The name of the deployed threat protection.') -output name string = advancedThreatProtection.name +output name string = advancedThreatProtectionSettings.name @description('The resource ID of the deployed threat protection.') -output resourceId string = advancedThreatProtection.id +output resourceId string = advancedThreatProtectionSettings.id @description('The resource group of the deployed threat protection.') output resourceGroupName string = resourceGroup().name diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json index 04403918b3..0727cfcb5b 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15590569630188816024" + "templateHash": "8702168883921324305" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -17,6 +17,13 @@ "metadata": { "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." } + }, + "advancedThreatProtection": { + "type": "string", + "defaultValue": "Enabled", + "metadata": { + "description": "Optional. The state of the advanced threat protection." + } } }, "resources": [ @@ -25,7 +32,7 @@ "apiVersion": "2023-12-30", "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'Default')]", "properties": { - "state": "Enabled" + "state": "[parameters('advancedThreatProtection')]" } } ], diff --git a/avm/res/db-for-my-sql/flexible-server/main.bicep b/avm/res/db-for-my-sql/flexible-server/main.bicep index 8656ec884d..b5302dea9b 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/main.bicep @@ -162,8 +162,8 @@ param databases array = [] @description('Optional. The firewall rules to create in the MySQL flexible server.') param firewallRules array = [] -@description('Optional. Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server.') -param advancedThreatProtectionEnabled bool = true +@description('Optional. Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server.') +param advancedThreatProtection string = 'Enabled' import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Array of role assignments to create.') @@ -412,10 +412,11 @@ module flexibleServer_administrators 'administrator/main.bicep' = [ } ] -module flexibleServer_advancedThreatProtection 'advanced-threat-protection/main.bicep' = if (advancedThreatProtectionEnabled) { +module flexibleServer_advancedThreatProtection 'advanced-threat-protection/main.bicep' = { name: '${uniqueString(deployment().name, location)}-MySQL-AdvancedThreatProtection' params: { flexibleServerName: flexibleServer.name + advancedThreatProtection: advancedThreatProtection } } diff --git a/avm/res/db-for-my-sql/flexible-server/main.json b/avm/res/db-for-my-sql/flexible-server/main.json index 43100f8e63..20a3938ebf 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.json +++ b/avm/res/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "2853200309432890008" + "templateHash": "14010929490848836584" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -581,11 +581,11 @@ "description": "Optional. The firewall rules to create in the MySQL flexible server." } }, - "advancedThreatProtectionEnabled": { - "type": "bool", - "defaultValue": true, + "advancedThreatProtection": { + "type": "string", + "defaultValue": "Enabled", "metadata": { - "description": "Optional. Enable/Disable Advanced Threat Protection (Microsoft Defnder for ) for the server." + "description": "Optional. Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server." } }, "roleAssignments": { @@ -1174,7 +1174,6 @@ ] }, "flexibleServer_advancedThreatProtection": { - "condition": "[parameters('advancedThreatProtectionEnabled')]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-MySQL-AdvancedThreatProtection', uniqueString(deployment().name, parameters('location')))]", @@ -1186,6 +1185,9 @@ "parameters": { "flexibleServerName": { "value": "[parameters('name')]" + }, + "advancedThreatProtection": { + "value": "[parameters('advancedThreatProtection')]" } }, "template": { @@ -1195,7 +1197,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15590569630188816024" + "templateHash": "8702168883921324305" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -1207,6 +1209,13 @@ "metadata": { "description": "Conditional. The name of the parent DBforMySQL flexible server. Required if the template is used in a standalone deployment." } + }, + "advancedThreatProtection": { + "type": "string", + "defaultValue": "Enabled", + "metadata": { + "description": "Optional. The state of the advanced threat protection." + } } }, "resources": [ @@ -1215,7 +1224,7 @@ "apiVersion": "2023-12-30", "name": "[format('{0}/{1}', parameters('flexibleServerName'), 'Default')]", "properties": { - "state": "Enabled" + "state": "[parameters('advancedThreatProtection')]" } } ], diff --git a/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep b/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep index 5a6119803d..32618cfd66 100644 --- a/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep +++ b/avm/res/db-for-my-sql/flexible-server/tests/e2e/max/main.test.bicep @@ -123,7 +123,7 @@ module testDeployment '../../../main.bicep' = [ } administratorLogin: 'adminUserName' administratorLoginPassword: password - advancedThreatProtectionEnabled: true + advancedThreatProtection: 'Enabled' skuName: 'Standard_D2ads_v5' tier: 'GeneralPurpose' storageAutoIoScaling: 'Enabled' From bcf151b45202a196a323a970577befccce2d8bc9 Mon Sep 17 00:00:00 2001 From: Matthew Schmitt Date: Fri, 20 Dec 2024 12:18:30 -0800 Subject: [PATCH 7/7] Addressing comments --- .../db-for-my-sql/flexible-server/README.md | 19 ++++++--- .../advanced-threat-protection/README.md | 7 ++++ .../advanced-threat-protection/main.bicep | 4 ++ .../advanced-threat-protection/main.json | 6 ++- .../db-for-my-sql/flexible-server/main.bicep | 28 ++++++++----- .../db-for-my-sql/flexible-server/main.json | 40 ++++++++++++------- 6 files changed, 74 insertions(+), 30 deletions(-) diff --git a/avm/res/db-for-my-sql/flexible-server/README.md b/avm/res/db-for-my-sql/flexible-server/README.md index 3483fcd4b1..d3e1095566 100644 --- a/avm/res/db-for-my-sql/flexible-server/README.md +++ b/avm/res/db-for-my-sql/flexible-server/README.md @@ -1015,7 +1015,6 @@ Private dns zone arm resource ID. Used when the desired connectivity mode is "Pr - Required: No - Type: string -- Default: `''` ### Parameter: `restorePointInTime` @@ -1031,7 +1030,6 @@ The source MySQL server ID. Required if "createMode" is set to "PointInTimeResto - Required: No - Type: string -- Default: `''` ### Parameter: `storageAutoGrow` @@ -1054,7 +1052,6 @@ The administrator login name of a server. Can only be specified when the MySQL s - Required: No - Type: string -- Default: `''` ### Parameter: `administratorLoginPassword` @@ -1062,7 +1059,6 @@ The administrator login password. - Required: No - Type: securestring -- Default: `''` ### Parameter: `administrators` @@ -1079,6 +1075,13 @@ Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server. - Required: No - Type: string - Default: `'Enabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ### Parameter: `availabilityZone` @@ -1260,7 +1263,6 @@ Delegated subnet arm resource ID. Used when the desired connectivity mode is "Pr - Required: No - Type: string -- Default: `''` - MinValue: 1 - MaxValue: 35 @@ -1574,6 +1576,13 @@ Specifies whether public network access is allowed for this server. Set to "Enab - Required: No - Type: string - Default: `'Disabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` - MinValue: 1 - MaxValue: 35 diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md index e11c26d95e..8cb89a8d91 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/README.md @@ -42,6 +42,13 @@ The state of the advanced threat protection. - Required: No - Type: string - Default: `'Enabled'` +- Allowed: + ```Bicep + [ + 'Disabled' + 'Enabled' + ] + ``` ## Outputs diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep index b379b66dcc..a03192ded2 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.bicep @@ -6,6 +6,10 @@ metadata owner = 'Azure/module-maintainers' param flexibleServerName string @description('Optional. The state of the advanced threat protection.') +@allowed([ + 'Enabled' + 'Disabled' +]) param advancedThreatProtection string = 'Enabled' resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' existing = { diff --git a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json index 0727cfcb5b..98a67f3e6f 100644 --- a/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json +++ b/avm/res/db-for-my-sql/flexible-server/advanced-threat-protection/main.json @@ -5,7 +5,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "8702168883921324305" + "templateHash": "1116000770546444664" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -21,6 +21,10 @@ "advancedThreatProtection": { "type": "string", "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], "metadata": { "description": "Optional. The state of the advanced threat protection." } diff --git a/avm/res/db-for-my-sql/flexible-server/main.bicep b/avm/res/db-for-my-sql/flexible-server/main.bicep index b5302dea9b..230410097c 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.bicep +++ b/avm/res/db-for-my-sql/flexible-server/main.bicep @@ -16,11 +16,11 @@ param location string = resourceGroup().location param tags object? @description('Optional. The administrator login name of a server. Can only be specified when the MySQL server is being created.') -param administratorLogin string = '' +param administratorLogin string? @description('Optional. The administrator login password.') @secure() -param administratorLoginPassword string = '' +param administratorLoginPassword string? @description('Optional. The Azure AD administrators when AAD authentication enabled.') param administrators array = [] @@ -92,12 +92,16 @@ param highAvailability string = 'ZoneRedundant' param maintenanceWindow object = {} @description('Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is "Private Access" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29.') -param delegatedSubnetResourceId string = '' +param delegatedSubnetResourceId string? @description('Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is "Private Access". Required if "delegatedSubnetResourceId" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server.') -param privateDnsZoneResourceId string = '' +param privateDnsZoneResourceId string? @description('Optional. Specifies whether public network access is allowed for this server. Set to "Enabled" to allow public access, or "Disabled" (default) when the server has VNet integration.') +@allowed([ + 'Enabled' + 'Disabled' +]) param publicNetworkAccess string = 'Disabled' @description('Conditional. Restore point creation time (ISO8601 format), specifying the time to restore from. Required if "createMode" is set to "PointInTimeRestore".') @@ -112,7 +116,7 @@ param restorePointInTime string = '' param replicationRole string = 'None' @description('Conditional. The source MySQL server ID. Required if "createMode" is set to "PointInTimeRestore".') -param sourceServerResourceId string = '' +param sourceServerResourceId string? @allowed([ 'Disabled' @@ -163,6 +167,10 @@ param databases array = [] param firewallRules array = [] @description('Optional. Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server.') +@allowed([ + 'Enabled' + 'Disabled' +]) param advancedThreatProtection string = 'Enabled' import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @@ -295,8 +303,8 @@ resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { } identity: identity properties: { - administratorLogin: !empty(administratorLogin) ? administratorLogin : null - administratorLoginPassword: !empty(administratorLoginPassword) ? administratorLoginPassword : null + administratorLogin: administratorLogin + administratorLoginPassword: administratorLoginPassword availabilityZone: availabilityZone backup: { backupRetentionDays: backupRetentionDays @@ -331,13 +339,13 @@ resource flexibleServer 'Microsoft.DBforMySQL/flexibleServers@2023-12-30' = { } : null network: { - delegatedSubnetResourceId: !empty(delegatedSubnetResourceId) ? delegatedSubnetResourceId : null - privateDnsZoneResourceId: !empty(privateDnsZoneResourceId) ? privateDnsZoneResourceId : null + delegatedSubnetResourceId: delegatedSubnetResourceId + privateDnsZoneResourceId: privateDnsZoneResourceId publicNetworkAccess: publicNetworkAccess } replicationRole: replicationRole restorePointInTime: restorePointInTime - sourceServerResourceId: !empty(sourceServerResourceId) ? sourceServerResourceId : null + sourceServerResourceId: sourceServerResourceId storage: { autoGrow: storageAutoGrow autoIoScaling: storageAutoIoScaling diff --git a/avm/res/db-for-my-sql/flexible-server/main.json b/avm/res/db-for-my-sql/flexible-server/main.json index 20a3938ebf..eeddb36cdf 100644 --- a/avm/res/db-for-my-sql/flexible-server/main.json +++ b/avm/res/db-for-my-sql/flexible-server/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "14010929490848836584" + "templateHash": "16654908193129390274" }, "name": "DBforMySQL Flexible Servers", "description": "This module deploys a DBforMySQL Flexible Server.", @@ -329,14 +329,14 @@ }, "administratorLogin": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The administrator login name of a server. Can only be specified when the MySQL server is being created." } }, "administratorLoginPassword": { "type": "securestring", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. The administrator login password." } @@ -460,14 +460,14 @@ }, "delegatedSubnetResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Optional. Delegated subnet arm resource ID. Used when the desired connectivity mode is \"Private Access\" - virtual network integration. Delegation must be enabled on the subnet for MySQL Flexible Servers and subnet CIDR size is /29." } }, "privateDnsZoneResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Conditional. Private dns zone arm resource ID. Used when the desired connectivity mode is \"Private Access\". Required if \"delegatedSubnetResourceId\" is used and the Private DNS Zone name must end with mysql.database.azure.com in order to be linked to the MySQL Flexible Server." } @@ -475,6 +475,10 @@ "publicNetworkAccess": { "type": "string", "defaultValue": "Disabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], "metadata": { "description": "Optional. Specifies whether public network access is allowed for this server. Set to \"Enabled\" to allow public access, or \"Disabled\" (default) when the server has VNet integration." } @@ -500,7 +504,7 @@ }, "sourceServerResourceId": { "type": "string", - "defaultValue": "", + "nullable": true, "metadata": { "description": "Conditional. The source MySQL server ID. Required if \"createMode\" is set to \"PointInTimeRestore\"." } @@ -584,6 +588,10 @@ "advancedThreatProtection": { "type": "string", "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], "metadata": { "description": "Optional. Enable/Disable Advanced Threat Protection (Microsoft Defender) for the server." } @@ -728,8 +736,8 @@ }, "identity": "[variables('identity')]", "properties": { - "administratorLogin": "[if(not(empty(parameters('administratorLogin'))), parameters('administratorLogin'), null())]", - "administratorLoginPassword": "[if(not(empty(parameters('administratorLoginPassword'))), parameters('administratorLoginPassword'), null())]", + "administratorLogin": "[parameters('administratorLogin')]", + "administratorLoginPassword": "[parameters('administratorLoginPassword')]", "availabilityZone": "[parameters('availabilityZone')]", "backup": { "backupRetentionDays": "[parameters('backupRetentionDays')]", @@ -743,13 +751,13 @@ }, "maintenanceWindow": "[if(not(empty(parameters('maintenanceWindow'))), createObject('customWindow', parameters('maintenanceWindow').customWindow, 'dayOfWeek', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').dayOfWeek, 0), 'startHour', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startHour, 0), 'startMinute', if(equals(parameters('maintenanceWindow').customWindow, 'Enabled'), parameters('maintenanceWindow').startMinute, 0)), null())]", "network": { - "delegatedSubnetResourceId": "[if(not(empty(parameters('delegatedSubnetResourceId'))), parameters('delegatedSubnetResourceId'), null())]", - "privateDnsZoneResourceId": "[if(not(empty(parameters('privateDnsZoneResourceId'))), parameters('privateDnsZoneResourceId'), null())]", + "delegatedSubnetResourceId": "[parameters('delegatedSubnetResourceId')]", + "privateDnsZoneResourceId": "[parameters('privateDnsZoneResourceId')]", "publicNetworkAccess": "[parameters('publicNetworkAccess')]" }, "replicationRole": "[parameters('replicationRole')]", "restorePointInTime": "[parameters('restorePointInTime')]", - "sourceServerResourceId": "[if(not(empty(parameters('sourceServerResourceId'))), parameters('sourceServerResourceId'), null())]", + "sourceServerResourceId": "[parameters('sourceServerResourceId')]", "storage": { "autoGrow": "[parameters('storageAutoGrow')]", "autoIoScaling": "[parameters('storageAutoIoScaling')]", @@ -759,8 +767,8 @@ "version": "[parameters('version')]" }, "dependsOn": [ - "cMKKeyVault::cMKKey", - "cMKGeoKeyVault::cMKKey" + "cMKGeoKeyVault::cMKKey", + "cMKKeyVault::cMKKey" ] }, "flexibleServer_lock": { @@ -1197,7 +1205,7 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "8702168883921324305" + "templateHash": "1116000770546444664" }, "name": "DBforMySQL Flexible Server Advanced Threat Protection", "description": "This module enables Advanced Threat Protection for DBforMySQL Flexible Server.", @@ -1213,6 +1221,10 @@ "advancedThreatProtection": { "type": "string", "defaultValue": "Enabled", + "allowedValues": [ + "Enabled", + "Disabled" + ], "metadata": { "description": "Optional. The state of the advanced threat protection." }