From ced479c426fa775eda45ae83b404f68e53dfec86 Mon Sep 17 00:00:00 2001 From: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Date: Wed, 20 Nov 2024 09:46:11 +0000 Subject: [PATCH 1/6] feat: Add WAF Security PSRule Checks to Baseline (#3806) ## Description Add WAF Security PSRule Checks to Baseline ## Pipeline Reference | Pipeline | | -------- | | N/A | ## Type of Change - [x] Update to CI Environment or utilities (Non-module affecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .../staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml index 3620b3c9bd..d1ee7cf4c0 100644 --- a/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml +++ b/avm/utilities/pipelines/staticValidation/psrule/.ps-rule/cb-waf-security.Rule.yaml @@ -37,6 +37,8 @@ spec: - Azure.Defender.Storage - Azure.Firewall.Mode - Azure.Firewall.PolicyMode + - Azure.Redis.MinTLS + - Azure.Redis.NonSslPort - Azure.Storage.DefenderCloud - Azure.Storage.Defender.MalwareScan - Azure.Storage.SecureTransfer From 754fed2e98559767897883158b8ab5368ed655e0 Mon Sep 17 00:00:00 2001 From: Joe Linn <120408555+jlinn-microsoft@users.noreply.github.com> Date: Wed, 20 Nov 2024 10:03:48 -0800 Subject: [PATCH 2/6] feat: avm/res/cache/redis - Add access policies (#3811) ## Description Adds access policies and access policy assignments to the Redis module. ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.cache.redis](https://github.com/jlinn-microsoft/bicep-registry-modules/actions/workflows/avm.res.cache.redis.yml/badge.svg)](https://github.com/jlinn-microsoft/bicep-registry-modules/actions/workflows/avm.res.cache.redis.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [x] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- avm/res/cache/redis/README.md | 113 ++++++++++++++++++ avm/res/cache/redis/main.bicep | 47 ++++++++ avm/res/cache/redis/main.json | 101 +++++++++++++++- .../tests/e2e/entra-id/dependencies.bicep | 19 +++ .../redis/tests/e2e/entra-id/main.test.bicep | 25 ++++ avm/res/cache/redis/version.json | 2 +- 6 files changed, 302 insertions(+), 5 deletions(-) create mode 100644 avm/res/cache/redis/tests/e2e/entra-id/dependencies.bicep diff --git a/avm/res/cache/redis/README.md b/avm/res/cache/redis/README.md index 322627a7e1..d7c8c9c246 100644 --- a/avm/res/cache/redis/README.md +++ b/avm/res/cache/redis/README.md @@ -19,6 +19,8 @@ This module deploys a Redis Cache. | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Cache/redis` | [2024-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis) | +| `Microsoft.Cache/redis/accessPolicies` | [2024-04-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/accessPolicies) | +| `Microsoft.Cache/redis/accessPolicyAssignments` | [2024-04-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/accessPolicyAssignments) | | `Microsoft.Cache/redis/linkedServers` | [2024-03-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Cache/redis/linkedServers) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | | `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) | @@ -118,6 +120,19 @@ module redis 'br/public:avm/res/cache/redis:' = { // Required parameters name: 'crentrid001' // Non-required parameters + accessPolicies: [ + { + name: 'Prefixed Contributor' + permissions: '+@read +set ~Az*' + } + ] + accessPolicyAssignments: [ + { + accessPolicyName: 'Data Contributor' + objectId: '' + objectIdAlias: '' + } + ] location: '' redisConfiguration: { 'aad-enabled': 'true' @@ -143,6 +158,23 @@ module redis 'br/public:avm/res/cache/redis:' = { "value": "crentrid001" }, // Non-required parameters + "accessPolicies": { + "value": [ + { + "name": "Prefixed Contributor", + "permissions": "+@read +set ~Az*" + } + ] + }, + "accessPolicyAssignments": { + "value": [ + { + "accessPolicyName": "Data Contributor", + "objectId": "", + "objectIdAlias": "" + } + ] + }, "location": { "value": "" }, @@ -168,6 +200,19 @@ using 'br/public:avm/res/cache/redis:' // Required parameters param name = 'crentrid001' // Non-required parameters +param accessPolicies = [ + { + name: 'Prefixed Contributor' + permissions: '+@read +set ~Az*' + } +] +param accessPolicyAssignments = [ + { + accessPolicyName: 'Data Contributor' + objectId: '' + objectIdAlias: '' + } +] param location = '' param redisConfiguration = { 'aad-enabled': 'true' @@ -992,6 +1037,8 @@ param zones = [ | Parameter | Type | Description | | :-- | :-- | :-- | +| [`accessPolicies`](#parameter-accesspolicies) | array | Array of access policies to create. | +| [`accessPolicyAssignments`](#parameter-accesspolicyassignments) | array | Array of access policy assignments. | | [`capacity`](#parameter-capacity) | int | The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`disableAccessKeyAuthentication`](#parameter-disableaccesskeyauthentication) | bool | Disable authentication via access keys. | @@ -1025,6 +1072,72 @@ The name of the Redis cache resource. - Required: Yes - Type: string +### Parameter: `accessPolicies` + +Array of access policies to create. + +- Required: No +- Type: array +- Default: `[]` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-accesspoliciesname) | string | Name of the access policy. | +| [`permissions`](#parameter-accesspoliciespermissions) | string | Permissions associated with the access policy. | + +### Parameter: `accessPolicies.name` + +Name of the access policy. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicies.permissions` + +Permissions associated with the access policy. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicyAssignments` + +Array of access policy assignments. + +- Required: No +- Type: array +- Default: `[]` + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`accessPolicyName`](#parameter-accesspolicyassignmentsaccesspolicyname) | string | Name of the access policy to be assigned. | +| [`objectId`](#parameter-accesspolicyassignmentsobjectid) | string | Object id to which the access policy will be assigned. | +| [`objectIdAlias`](#parameter-accesspolicyassignmentsobjectidalias) | string | Alias for the target object id. | + +### Parameter: `accessPolicyAssignments.accessPolicyName` + +Name of the access policy to be assigned. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicyAssignments.objectId` + +Object id to which the access policy will be assigned. + +- Required: Yes +- Type: string + +### Parameter: `accessPolicyAssignments.objectIdAlias` + +Alias for the target object id. + +- Required: Yes +- Type: string + ### Parameter: `capacity` The size of the Redis cache to deploy. Valid values: for C (Basic/Standard) family (0, 1, 2, 3, 4, 5, 6), for P (Premium) family (1, 2, 3, 4). diff --git a/avm/res/cache/redis/main.bicep b/avm/res/cache/redis/main.bicep index 2eda0b9e71..5b677fdc92 100644 --- a/avm/res/cache/redis/main.bicep +++ b/avm/res/cache/redis/main.bicep @@ -111,6 +111,12 @@ param diagnosticSettings diagnosticSettingType @description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true +@description('Optional. Array of access policies to create.') +param accessPolicies accessPolicyType[] = [] + +@description('Optional. Array of access policy assignments.') +param accessPolicyAssignments accessPolicyAssignmentType[] = [] + var availabilityZones = skuName == 'Premium' ? zoneRedundant ? !empty(zones) ? zones : pickZones('Microsoft.Cache', 'redis', location, 3) : [] : [] @@ -207,6 +213,31 @@ resource redis 'Microsoft.Cache/redis@2024-03-01' = { zones: availabilityZones } +resource redis_accessPolicies 'Microsoft.Cache/redis/accessPolicies@2024-04-01-preview' = [ + for policy in accessPolicies: { + name: policy.name + parent: redis + properties: { + permissions: policy.permissions + } + } +] + +resource redis_accessPolicyAssignments 'Microsoft.Cache/redis/accessPolicyAssignments@2024-04-01-preview' = [ + for assignment in accessPolicyAssignments: { + name: assignment.objectId + parent: redis + properties: { + objectId: assignment.objectId + objectIdAlias: assignment.objectIdAlias + accessPolicyName: assignment.accessPolicyName + } + dependsOn: [ + redis_accessPolicies + ] + } +] + resource redis_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { @@ -537,3 +568,19 @@ type diagnosticSettingType = { @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') marketplacePartnerResourceId: string? }[]? + +type accessPolicyType = { + @description('Required. Name of the access policy.') + name: string + @description('Required. Permissions associated with the access policy.') + permissions: string +} + +type accessPolicyAssignmentType = { + @description('Required. Object id to which the access policy will be assigned.') + objectId: string + @description('Required. Alias for the target object id.') + objectIdAlias: string + @description('Required. Name of the access policy to be assigned.') + accessPolicyName: string +} diff --git a/avm/res/cache/redis/main.json b/avm/res/cache/redis/main.json index 24322d1c3b..46efa1fe5a 100644 --- a/avm/res/cache/redis/main.json +++ b/avm/res/cache/redis/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4783503622444970338" + "version": "0.31.92.45157", + "templateHash": "13329670122964938480" }, "name": "Redis Cache", "description": "This module deploys a Redis Cache.", @@ -473,6 +473,46 @@ } }, "nullable": true + }, + "accessPolicyType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the access policy." + } + }, + "permissions": { + "type": "string", + "metadata": { + "description": "Required. Permissions associated with the access policy." + } + } + } + }, + "accessPolicyAssignmentType": { + "type": "object", + "properties": { + "objectId": { + "type": "string", + "metadata": { + "description": "Required. Object id to which the access policy will be assigned." + } + }, + "objectIdAlias": { + "type": "string", + "metadata": { + "description": "Required. Alias for the target object id." + } + }, + "accessPolicyName": { + "type": "string", + "metadata": { + "description": "Required. Name of the access policy to be assigned." + } + } + } } }, "parameters": { @@ -689,6 +729,26 @@ "metadata": { "description": "Optional. Enable/Disable usage telemetry for module." } + }, + "accessPolicies": { + "type": "array", + "items": { + "$ref": "#/definitions/accessPolicyType" + }, + "defaultValue": [], + "metadata": { + "description": "Optional. Array of access policies to create." + } + }, + "accessPolicyAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/accessPolicyAssignmentType" + }, + "defaultValue": [], + "metadata": { + "description": "Optional. Array of access policy assignments." + } } }, "variables": { @@ -760,6 +820,39 @@ }, "zones": "[variables('availabilityZones')]" }, + "redis_accessPolicies": { + "copy": { + "name": "redis_accessPolicies", + "count": "[length(parameters('accessPolicies'))]" + }, + "type": "Microsoft.Cache/redis/accessPolicies", + "apiVersion": "2024-04-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('accessPolicies')[copyIndex()].name)]", + "properties": { + "permissions": "[parameters('accessPolicies')[copyIndex()].permissions]" + }, + "dependsOn": [ + "redis" + ] + }, + "redis_accessPolicyAssignments": { + "copy": { + "name": "redis_accessPolicyAssignments", + "count": "[length(parameters('accessPolicyAssignments'))]" + }, + "type": "Microsoft.Cache/redis/accessPolicyAssignments", + "apiVersion": "2024-04-01-preview", + "name": "[format('{0}/{1}', parameters('name'), parameters('accessPolicyAssignments')[copyIndex()].objectId)]", + "properties": { + "objectId": "[parameters('accessPolicyAssignments')[copyIndex()].objectId]", + "objectIdAlias": "[parameters('accessPolicyAssignments')[copyIndex()].objectIdAlias]", + "accessPolicyName": "[parameters('accessPolicyAssignments')[copyIndex()].accessPolicyName]" + }, + "dependsOn": [ + "redis", + "redis_accessPolicies" + ] + }, "redis_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", "type": "Microsoft.Authorization/locks", @@ -1634,8 +1727,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "10405637679168200939" + "version": "0.31.92.45157", + "templateHash": "4764248912015671674" }, "name": "Redis Cache Linked Servers", "description": "This module connects a primary and secondary Redis Cache together for geo-replication.", diff --git a/avm/res/cache/redis/tests/e2e/entra-id/dependencies.bicep b/avm/res/cache/redis/tests/e2e/entra-id/dependencies.bicep new file mode 100644 index 0000000000..30dac9092e --- /dev/null +++ b/avm/res/cache/redis/tests/e2e/entra-id/dependencies.bicep @@ -0,0 +1,19 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to be created.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-07-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id +@description('The client ID of the created Managed Identity.') +output managedIdentityClientId string = managedIdentity.properties.clientId +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId +@description('The name of the created Managed Identity.') +output managedIdentityName string = managedIdentity.name diff --git a/avm/res/cache/redis/tests/e2e/entra-id/main.test.bicep b/avm/res/cache/redis/tests/e2e/entra-id/main.test.bicep index 49b1872260..a7efd473d7 100644 --- a/avm/res/cache/redis/tests/e2e/entra-id/main.test.bicep +++ b/avm/res/cache/redis/tests/e2e/entra-id/main.test.bicep @@ -31,6 +31,15 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { location: resourceLocation } +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + managedIdentityName: 'dep-${namePrefix}-mi-${serviceShort}' + } +} + // ============== // // Test Execution // // ============== // @@ -46,6 +55,22 @@ module testDeployment '../../../main.bicep' = [ redisConfiguration: { 'aad-enabled': 'true' } + accessPolicyAssignments: [ + { + accessPolicyName: 'Data Contributor' + objectId: nestedDependencies.outputs.managedIdentityPrincipalId + objectIdAlias: nestedDependencies.outputs.managedIdentityName + } + ] + accessPolicies: [ + { + name: 'Prefixed Contributor' + permissions: '+@read +set ~Az*' + } + ] } + dependsOn: [ + nestedDependencies + ] } ] diff --git a/avm/res/cache/redis/version.json b/avm/res/cache/redis/version.json index 7e1d3f4157..0f81d22abc 100644 --- a/avm/res/cache/redis/version.json +++ b/avm/res/cache/redis/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.7", + "version": "0.8", "pathFilters": [ "./main.json" ] From 7ec366411c0ae4df70cb62f6fbd5db7615cbd123 Mon Sep 17 00:00:00 2001 From: Kris Baranek <20225789+krbar@users.noreply.github.com> Date: Thu, 21 Nov 2024 02:42:34 +0100 Subject: [PATCH 3/6] fix: Re-create ARM files to fix static validation in `avm/res/search/search-service` (#3791) ## Description Fixing static validation Fixes #3792 ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.search.search-service](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml/badge.svg?branch=users%2Fkrbar%2FsearchSvcFix)](https://github.com/Azure/bicep-registry-modules/actions/workflows/avm.res.search.search-service.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [x] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [x] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- avm/res/search/search-service/main.json | 22 ++++++++++++------- .../shared-private-link-resource/main.json | 9 +++++--- 2 files changed, 20 insertions(+), 11 deletions(-) diff --git a/avm/res/search/search-service/main.json b/avm/res/search/search-service/main.json index d2fd601fa8..be2220e574 100644 --- a/avm/res/search/search-service/main.json +++ b/avm/res/search/search-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "18312735267946671495" + "version": "0.31.92.45157", + "templateHash": "2123095807669273716" }, "name": "Search Services", "description": "This module deploys a Search Service.", @@ -1794,8 +1794,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "13697564567147510981" + "version": "0.31.92.45157", + "templateHash": "8234368842276618768" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", @@ -1856,7 +1856,10 @@ "groupId": "[parameters('groupId')]", "requestMessage": "[parameters('requestMessage')]", "resourceRegion": "[parameters('resourceRegion')]" - } + }, + "dependsOn": [ + "searchService" + ] } }, "outputs": { @@ -1915,8 +1918,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "251825345610643647" + "version": "0.31.92.45157", + "templateHash": "7954388693868310378" } }, "definitions": { @@ -1992,7 +1995,10 @@ "name": "[format('{0}/{1}', parameters('keyVaultName'), parameters('secretsToSet')[copyIndex()].name)]", "properties": { "value": "[parameters('secretsToSet')[copyIndex()].value]" - } + }, + "dependsOn": [ + "keyVault" + ] } }, "outputs": { diff --git a/avm/res/search/search-service/shared-private-link-resource/main.json b/avm/res/search/search-service/shared-private-link-resource/main.json index e465debc7b..4c1ab6fbd5 100644 --- a/avm/res/search/search-service/shared-private-link-resource/main.json +++ b/avm/res/search/search-service/shared-private-link-resource/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.31.34.60546", - "templateHash": "13697564567147510981" + "version": "0.31.92.45157", + "templateHash": "8234368842276618768" }, "name": "Search Services Private Link Resources", "description": "This module deploys a Search Service Private Link Resource.", @@ -67,7 +67,10 @@ "groupId": "[parameters('groupId')]", "requestMessage": "[parameters('requestMessage')]", "resourceRegion": "[parameters('resourceRegion')]" - } + }, + "dependsOn": [ + "searchService" + ] } }, "outputs": { From e5d65dc88c49317ba28936fe69c9d0ba6d6449bc Mon Sep 17 00:00:00 2001 From: Zach <19664186+FallenHoot@users.noreply.github.com> Date: Thu, 21 Nov 2024 14:57:09 +0100 Subject: [PATCH 4/6] fix: A bug fix - avm vmss bootdiagnosticenabled (#3762) ## Description Unable to enable Boot Diagnostics, because parameter is configured wrong. It needs boolen, but requesting a string. After looking into it more deeply, the Microsoft best practice is to not include a storage account, but that can be optional. The [learn docs](https://learn.microsoft.com/en-us/azure/virtual-machines/boot-diagnostics) state that all you need is the enabled true or false Fixes #3713 ## Pipeline Reference [![avm.res.compute.virtual-machine-scale-set](https://github.com/FallenHoot/bicep-registry-modules/actions/workflows/avm.res.compute.virtual-machine-scale-set.yml/badge.svg?branch=ghactions-managedidentity)](https://github.com/FallenHoot/bicep-registry-modules/actions/workflows/avm.res.compute.virtual-machine-scale-set.yml) ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [x] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [x] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [X] I have run `Set-AVMModule` locally to generate the supporting module files. - [ ] My corresponding pipelines / checks run clean and green without any errors or warnings --------- Co-authored-by: Zach Olinske Co-authored-by: Nate Arnold Co-authored-by: Kris Baranek <20225789+krbar@users.noreply.github.com> Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- .../virtual-machine-scale-set/README.md | 84 +++++--- .../extension/main.json | 4 +- .../virtual-machine-scale-set/main.bicep | 144 +++++--------- .../virtual-machine-scale-set/main.json | 183 ++++++++++++------ .../tests/e2e/linux.defaults/main.test.bicep | 5 + .../tests/e2e/linux.max/main.test.bicep | 7 + .../tests/e2e/linux.ssecmk/main.test.bicep | 6 + .../tests/e2e/windows.max/main.test.bicep | 1 + .../e2e/windows.waf-aligned/main.test.bicep | 1 + .../virtual-machine-scale-set/version.json | 4 +- 10 files changed, 250 insertions(+), 189 deletions(-) diff --git a/avm/res/compute/virtual-machine-scale-set/README.md b/avm/res/compute/virtual-machine-scale-set/README.md index 123eb0d315..60d1521997 100644 --- a/avm/res/compute/virtual-machine-scale-set/README.md +++ b/avm/res/compute/virtual-machine-scale-set/README.md @@ -49,6 +49,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'scaleSetAdmin' imageReference: { offer: '0001-com-ubuntu-server-jammy' @@ -110,6 +111,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "scaleSetAdmin" }, @@ -189,6 +193,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'scaleSetAdmin' param imageReference = { offer: '0001-com-ubuntu-server-jammy' @@ -252,6 +257,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'scaleSetAdmin' imageReference: { offer: '0001-com-ubuntu-server-jammy' @@ -291,6 +297,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s availabilityZones: [ '2' ] + bootDiagnosticEnabled: true bootDiagnosticStorageAccountName: '' dataDisks: [ { @@ -423,6 +430,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "scaleSetAdmin" }, @@ -478,6 +488,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "2" ] }, + "bootDiagnosticEnabled": { + "value": true + }, "bootDiagnosticStorageAccountName": { "value": "" }, @@ -650,6 +663,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'scaleSetAdmin' param imageReference = { offer: '0001-com-ubuntu-server-jammy' @@ -689,6 +703,7 @@ param skuName = 'Standard_B12ms' param availabilityZones = [ '2' ] +param bootDiagnosticEnabled = true param bootDiagnosticStorageAccountName = '' param dataDisks = [ { @@ -823,6 +838,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'scaleSetAdmin' imageReference: { offer: '0001-com-ubuntu-server-jammy' @@ -903,6 +919,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "scaleSetAdmin" }, @@ -1005,6 +1024,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'scaleSetAdmin' param imageReference = { offer: '0001-com-ubuntu-server-jammy' @@ -1087,6 +1107,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'localAdminUser' imageReference: { offer: 'WindowsServer' @@ -1123,7 +1144,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s osType: 'Windows' skuName: 'Standard_B12ms' // Non-required parameters - adminPassword: '' location: '' } } @@ -1142,6 +1162,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "localAdminUser" }, @@ -1192,9 +1215,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "value": "Standard_B12ms" }, // Non-required parameters - "adminPassword": { - "value": "" - }, "location": { "value": "" } @@ -1213,6 +1233,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'localAdminUser' param imageReference = { offer: 'WindowsServer' @@ -1249,7 +1270,6 @@ param osDisk = { param osType = 'Windows' param skuName = 'Standard_B12ms' // Non-required parameters -param adminPassword = '' param location = '' ``` @@ -1270,6 +1290,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'localAdminUser' imageReference: { offer: 'WindowsServer' @@ -1306,7 +1327,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s osType: 'Windows' skuName: 'Standard_B12ms' // Non-required parameters - adminPassword: '' diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -1441,6 +1461,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "localAdminUser" }, @@ -1491,9 +1514,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "value": "Standard_B12ms" }, // Non-required parameters - "adminPassword": { - "value": "" - }, "diagnosticSettings": { "value": [ { @@ -1664,6 +1684,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'localAdminUser' param imageReference = { offer: 'WindowsServer' @@ -1700,7 +1721,6 @@ param osDisk = { param osType = 'Windows' param skuName = 'Standard_B12ms' // Non-required parameters -param adminPassword = '' param diagnosticSettings = [ { eventHubAuthorizationRuleResourceId: '' @@ -1837,6 +1857,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s name: 'virtualMachineScaleSetDeployment' params: { // Required parameters + adminPassword: '' adminUsername: 'localAdminUser' imageReference: { offer: 'WindowsServer' @@ -1873,7 +1894,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s osType: 'Windows' skuName: 'Standard_B12ms' // Non-required parameters - adminPassword: '' diagnosticSettings: [ { eventHubAuthorizationRuleResourceId: '' @@ -1939,6 +1959,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s enabled: true } extensionMonitoringAgentConfig: { + autoUpgradeMinorVersion: true enabled: true } extensionNetworkWatcherAgentConfig: { @@ -1977,6 +1998,9 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "contentVersion": "1.0.0.0", "parameters": { // Required parameters + "adminPassword": { + "value": "" + }, "adminUsername": { "value": "localAdminUser" }, @@ -2027,9 +2051,6 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s "value": "Standard_B12ms" }, // Non-required parameters - "adminPassword": { - "value": "" - }, "diagnosticSettings": { "value": [ { @@ -2110,6 +2131,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s }, "extensionMonitoringAgentConfig": { "value": { + "autoUpgradeMinorVersion": true, "enabled": true } }, @@ -2163,6 +2185,7 @@ module virtualMachineScaleSet 'br/public:avm/res/compute/virtual-machine-scale-s using 'br/public:avm/res/compute/virtual-machine-scale-set:' // Required parameters +param adminPassword = '' param adminUsername = 'localAdminUser' param imageReference = { offer: 'WindowsServer' @@ -2199,7 +2222,6 @@ param osDisk = { param osType = 'Windows' param skuName = 'Standard_B12ms' // Non-required parameters -param adminPassword = '' param diagnosticSettings = [ { eventHubAuthorizationRuleResourceId: '' @@ -2265,6 +2287,7 @@ param extensionDSCConfig = { enabled: true } param extensionMonitoringAgentConfig = { + autoUpgradeMinorVersion: true enabled: true } param extensionNetworkWatcherAgentConfig = { @@ -2297,6 +2320,7 @@ param vmPriority = 'Regular' | Parameter | Type | Description | | :-- | :-- | :-- | +| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | | [`adminUsername`](#parameter-adminusername) | securestring | Administrator username. | | [`imageReference`](#parameter-imagereference) | object | OS image reference. In case of marketplace images, it's the combination of the publisher, offer, sku, version attributes. In case of custom images it's the resource ID of the custom image. | | [`name`](#parameter-name) | string | Name of the VMSS. | @@ -2310,10 +2334,10 @@ param vmPriority = 'Regular' | Parameter | Type | Description | | :-- | :-- | :-- | | [`additionalUnattendContent`](#parameter-additionalunattendcontent) | array | Specifies additional base-64 encoded XML formatted information that can be included in the Unattend.xml file, which is used by Windows Setup. - AdditionalUnattendContent object. | -| [`adminPassword`](#parameter-adminpassword) | securestring | When specifying a Windows Virtual Machine, this value should be passed. | | [`automaticRepairsPolicyEnabled`](#parameter-automaticrepairspolicyenabled) | bool | Specifies whether automatic repairs should be enabled on the virtual machine scale set. | | [`availabilityZones`](#parameter-availabilityzones) | array | The virtual machine scale set zones. NOTE: Availability zones can only be set when you create the scale set. | -| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. | +| [`bootDiagnosticEnabled`](#parameter-bootdiagnosticenabled) | bool | Enable boot diagnostics to use default managed or secure storage. Defaults set to false. | +| [`bootDiagnosticStorageAccountName`](#parameter-bootdiagnosticstorageaccountname) | string | The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account. | | [`bootDiagnosticStorageAccountUri`](#parameter-bootdiagnosticstorageaccounturi) | string | Storage account boot diagnostic base URI. | | [`bypassPlatformSafetyChecksOnUserSchedule`](#parameter-bypassplatformsafetychecksonuserschedule) | bool | Enables customer to schedule patching without accidental upgrades. | | [`customData`](#parameter-customdata) | string | Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format. | @@ -2387,6 +2411,13 @@ param vmPriority = 'Regular' | :-- | :-- | :-- | | [`baseTime`](#parameter-basetime) | string | Do not provide a value! This date value is used to generate a registration token. | +### Parameter: `adminPassword` + +When specifying a Windows Virtual Machine, this value should be passed. + +- Required: Yes +- Type: securestring + ### Parameter: `adminUsername` Administrator username. @@ -2451,14 +2482,6 @@ Specifies additional base-64 encoded XML formatted information that can be inclu - Type: array - Default: `[]` -### Parameter: `adminPassword` - -When specifying a Windows Virtual Machine, this value should be passed. - -- Required: No -- Type: securestring -- Default: `''` - ### Parameter: `automaticRepairsPolicyEnabled` Specifies whether automatic repairs should be enabled on the virtual machine scale set. @@ -2482,9 +2505,17 @@ The virtual machine scale set zones. NOTE: Availability zones can only be set wh ] ``` +### Parameter: `bootDiagnosticEnabled` + +Enable boot diagnostics to use default managed or secure storage. Defaults set to false. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `bootDiagnosticStorageAccountName` -Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided. +The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account. - Required: No - Type: string @@ -2817,6 +2848,7 @@ The configuration for the [Monitoring Agent] extension. Must at least contain th - Default: ```Bicep { + autoUpgradeMinorVersion: true enabled: false } ``` diff --git a/avm/res/compute/virtual-machine-scale-set/extension/main.json b/avm/res/compute/virtual-machine-scale-set/extension/main.json index db232f5964..83c7f96d89 100644 --- a/avm/res/compute/virtual-machine-scale-set/extension/main.json +++ b/avm/res/compute/virtual-machine-scale-set/extension/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", diff --git a/avm/res/compute/virtual-machine-scale-set/main.bicep b/avm/res/compute/virtual-machine-scale-set/main.bicep index 5bd73d62c0..5e820f026e 100644 --- a/avm/res/compute/virtual-machine-scale-set/main.bicep +++ b/avm/res/compute/virtual-machine-scale-set/main.bicep @@ -39,9 +39,9 @@ param ultraSSDEnabled bool = false @secure() param adminUsername string -@description('Optional. When specifying a Windows Virtual Machine, this value should be passed.') +@description('Required. When specifying a Windows Virtual Machine, this value should be passed.') @secure() -param adminPassword string = '' +param adminPassword string @description('Optional. Custom data associated to the VM, this value will be automatically converted into base64 to account for the expected VM format.') param customData string = '' @@ -99,6 +99,7 @@ param extensionAntiMalwareConfig object = { @description('Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the ["enabled": true] property to be executed.') param extensionMonitoringAgentConfig object = { enabled: false + autoUpgradeMinorVersion: true } @description('Optional. Resource ID of the monitoring log analytics workspace.') @@ -143,9 +144,12 @@ param extensionCustomScriptConfig object = { @description('Optional. Storage account boot diagnostic base URI.') param bootDiagnosticStorageAccountUri string = '.blob.${environment().suffixes.storage}/' -@description('Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided.') +@description('Optional. The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account.') param bootDiagnosticStorageAccountName string = '' +@description('Optional. Enable boot diagnostics to use default managed or secure storage. Defaults set to false.') +param bootDiagnosticEnabled bool = false + @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingType @@ -360,11 +364,7 @@ var windowsConfiguration = { : null timeZone: empty(timeZone) ? null : timeZone additionalUnattendContent: empty(additionalUnattendContent) ? null : additionalUnattendContent - winRM: !empty(winRM) - ? { - listeners: winRM - } - : null + winRM: !empty(winRM) ? { listeners: winRM.listeners } : null } var accountSasProperties = { @@ -526,7 +526,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { osProfile: { computerNamePrefix: vmNamePrefix adminUsername: adminUsername - adminPassword: !empty(adminPassword) ? adminPassword : null + adminPassword: adminPassword customData: !empty(customData) ? base64(customData) : null windowsConfiguration: osType == 'Windows' ? windowsConfiguration : null linuxConfiguration: osType == 'Linux' ? linuxConfiguration : null @@ -547,12 +547,12 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { osDisk: { createOption: osDisk.createOption diskSizeGB: osDisk.diskSizeGB - caching: contains(osDisk, 'caching') ? osDisk.caching : null - writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null - diffDiskSettings: contains(osDisk, 'diffDiskSettings') ? osDisk.diffDiskSettings : null - osType: contains(osDisk, 'osType') ? osDisk.osType : null - image: contains(osDisk, 'image') ? osDisk.image : null - vhdContainers: contains(osDisk, 'vhdContainers') ? osDisk.vhdContainers : null + caching: osDisk.?caching + writeAcceleratorEnabled: osDisk.?writeAcceleratorEnabled + diffDiskSettings: osDisk.?diffDiskSettings + osType: osDisk.?osType + image: osDisk.?image + vhdContainers: osDisk.?vhdContainers managedDisk: { storageAccountType: osDisk.managedDisk.storageAccountType diskEncryptionSet: contains(osDisk.managedDisk, 'diskEncryptionSet') @@ -568,7 +568,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { diskSizeGB: dataDisk.diskSizeGB createOption: dataDisk.createOption caching: dataDisk.caching - writeAcceleratorEnabled: contains(osDisk, 'writeAcceleratorEnabled') ? osDisk.writeAcceleratorEnabled : null + writeAcceleratorEnabled: osDisk.?writeAcceleratorEnabled managedDisk: { storageAccountType: dataDisk.managedDisk.storageAccountType diskEncryptionSet: contains(dataDisk.managedDisk, 'diskEncryptionSet') @@ -589,9 +589,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { name: '${name}${nicConfiguration.nicSuffix}configuration-${index}' properties: { primary: (index == 0) ? true : any(null) - enableAcceleratedNetworking: contains(nicConfiguration, 'enableAcceleratedNetworking') - ? nicConfiguration.enableAcceleratedNetworking - : true + enableAcceleratedNetworking: nicConfiguration.?enableAcceleratedNetworking ?? true networkSecurityGroup: contains(nicConfiguration, 'nsgId') ? { id: nicConfiguration.nsgId @@ -604,7 +602,7 @@ resource vmss 'Microsoft.Compute/virtualMachineScaleSets@2023-09-01' = { } diagnosticsProfile: { bootDiagnostics: { - enabled: !empty(bootDiagnosticStorageAccountName) + enabled: !empty(bootDiagnosticStorageAccountName) ? true : bootDiagnosticEnabled storageUri: !empty(bootDiagnosticStorageAccountName) ? 'https://${bootDiagnosticStorageAccountName}${bootDiagnosticStorageAccountUri}' : null @@ -666,15 +664,9 @@ module vmss_domainJoinExtension 'extension/main.bicep' = if (extensionDomainJoin name: 'DomainJoin' publisher: 'Microsoft.Compute' type: 'JsonADDomainExtension' - typeHandlerVersion: contains(extensionDomainJoinConfig, 'typeHandlerVersion') - ? extensionDomainJoinConfig.typeHandlerVersion - : '1.3' - autoUpgradeMinorVersion: contains(extensionDomainJoinConfig, 'autoUpgradeMinorVersion') - ? extensionDomainJoinConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionDomainJoinConfig, 'enableAutomaticUpgrade') - ? extensionDomainJoinConfig.enableAutomaticUpgrade - : false + typeHandlerVersion: extensionDomainJoinConfig.?typeHandlerVersion ?? '1.3' + autoUpgradeMinorVersion: extensionDomainJoinConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionDomainJoinConfig.?enableAutomaticUpgrade ?? false settings: extensionDomainJoinConfig.settings protectedSettings: { Password: extensionDomainJoinPassword @@ -689,15 +681,9 @@ module vmss_microsoftAntiMalwareExtension 'extension/main.bicep' = if (extension name: 'MicrosoftAntiMalware' publisher: 'Microsoft.Azure.Security' type: 'IaaSAntimalware' - typeHandlerVersion: contains(extensionAntiMalwareConfig, 'typeHandlerVersion') - ? extensionAntiMalwareConfig.typeHandlerVersion - : '1.3' - autoUpgradeMinorVersion: contains(extensionAntiMalwareConfig, 'autoUpgradeMinorVersion') - ? extensionAntiMalwareConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionAntiMalwareConfig, 'enableAutomaticUpgrade') - ? extensionAntiMalwareConfig.enableAutomaticUpgrade - : false + typeHandlerVersion: extensionAntiMalwareConfig.?typeHandlerVersion ?? '1.3' + autoUpgradeMinorVersion: extensionAntiMalwareConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionAntiMalwareConfig.?enableAutomaticUpgrade ?? false settings: extensionAntiMalwareConfig.settings } dependsOn: [ @@ -720,15 +706,11 @@ module vmss_azureMonitorAgentExtension 'extension/main.bicep' = if (extensionMon name: 'AzureMonitorAgent' publisher: 'Microsoft.Azure.Monitor' type: osType == 'Windows' ? 'AzureMonitorWindowsAgent' : 'AzureMonitorLinuxAgent' - typeHandlerVersion: contains(extensionMonitoringAgentConfig, 'typeHandlerVersion') + typeHandlerVersion: extensionMonitoringAgentConfig.?typeHandlerVersion != null ? extensionMonitoringAgentConfig.typeHandlerVersion : (osType == 'Windows' ? '1.22' : '1.29') - autoUpgradeMinorVersion: contains(extensionMonitoringAgentConfig, 'autoUpgradeMinorVersion') - ? extensionMonitoringAgentConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionMonitoringAgentConfig, 'enableAutomaticUpgrade') - ? extensionMonitoringAgentConfig.enableAutomaticUpgrade - : false + autoUpgradeMinorVersion: extensionMonitoringAgentConfig.autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionMonitoringAgentConfig.?enableAutomaticUpgrade ?? false settings: { workspaceId: !empty(monitoringWorkspaceResourceId) ? vmss_logAnalyticsWorkspace.properties.customerId : '' GCS_AUTO_CONFIG: osType == 'Linux' ? true : null @@ -749,15 +731,9 @@ module vmss_dependencyAgentExtension 'extension/main.bicep' = if (extensionDepen name: 'DependencyAgent' publisher: 'Microsoft.Azure.Monitoring.DependencyAgent' type: osType == 'Windows' ? 'DependencyAgentWindows' : 'DependencyAgentLinux' - typeHandlerVersion: contains(extensionDependencyAgentConfig, 'typeHandlerVersion') - ? extensionDependencyAgentConfig.typeHandlerVersion - : '9.5' - autoUpgradeMinorVersion: contains(extensionDependencyAgentConfig, 'autoUpgradeMinorVersion') - ? extensionDependencyAgentConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionDependencyAgentConfig, 'enableAutomaticUpgrade') - ? extensionDependencyAgentConfig.enableAutomaticUpgrade - : true + typeHandlerVersion: extensionDependencyAgentConfig.?typeHandlerVersion ?? '9.5' + autoUpgradeMinorVersion: extensionDependencyAgentConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionDependencyAgentConfig.?enableAutomaticUpgrade ?? true } dependsOn: [ vmss_azureMonitorAgentExtension @@ -771,15 +747,9 @@ module vmss_networkWatcherAgentExtension 'extension/main.bicep' = if (extensionN name: 'NetworkWatcherAgent' publisher: 'Microsoft.Azure.NetworkWatcher' type: osType == 'Windows' ? 'NetworkWatcherAgentWindows' : 'NetworkWatcherAgentLinux' - typeHandlerVersion: contains(extensionNetworkWatcherAgentConfig, 'typeHandlerVersion') - ? extensionNetworkWatcherAgentConfig.typeHandlerVersion - : '1.4' - autoUpgradeMinorVersion: contains(extensionNetworkWatcherAgentConfig, 'autoUpgradeMinorVersion') - ? extensionNetworkWatcherAgentConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionNetworkWatcherAgentConfig, 'enableAutomaticUpgrade') - ? extensionNetworkWatcherAgentConfig.enableAutomaticUpgrade - : false + typeHandlerVersion: extensionNetworkWatcherAgentConfig.?typeHandlerVersion ?? '1.4' + autoUpgradeMinorVersion: extensionNetworkWatcherAgentConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionNetworkWatcherAgentConfig.?enableAutomaticUpgrade ?? false } dependsOn: [ vmss_dependencyAgentExtension @@ -793,17 +763,11 @@ module vmss_desiredStateConfigurationExtension 'extension/main.bicep' = if (exte name: 'DesiredStateConfiguration' publisher: 'Microsoft.Powershell' type: 'DSC' - typeHandlerVersion: contains(extensionDSCConfig, 'typeHandlerVersion') - ? extensionDSCConfig.typeHandlerVersion - : '2.77' - autoUpgradeMinorVersion: contains(extensionDSCConfig, 'autoUpgradeMinorVersion') - ? extensionDSCConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionDSCConfig, 'enableAutomaticUpgrade') - ? extensionDSCConfig.enableAutomaticUpgrade - : false - settings: contains(extensionDSCConfig, 'settings') ? extensionDSCConfig.settings : {} - protectedSettings: contains(extensionDSCConfig, 'protectedSettings') ? extensionDSCConfig.protectedSettings : {} + typeHandlerVersion: extensionDSCConfig.?typeHandlerVersion ?? '2.77' + autoUpgradeMinorVersion: extensionDSCConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionDSCConfig.?enableAutomaticUpgrade ?? false + settings: extensionDSCConfig.?settings ?? {} + protectedSettings: extensionDSCConfig.?protectedSettings ?? {} } dependsOn: [ vmss_networkWatcherAgentExtension @@ -817,15 +781,9 @@ module vmss_customScriptExtension 'extension/main.bicep' = if (extensionCustomSc name: 'CustomScriptExtension' publisher: osType == 'Windows' ? 'Microsoft.Compute' : 'Microsoft.Azure.Extensions' type: osType == 'Windows' ? 'CustomScriptExtension' : 'CustomScript' - typeHandlerVersion: contains(extensionCustomScriptConfig, 'typeHandlerVersion') - ? extensionCustomScriptConfig.typeHandlerVersion - : (osType == 'Windows' ? '1.10' : '2.1') - autoUpgradeMinorVersion: contains(extensionCustomScriptConfig, 'autoUpgradeMinorVersion') - ? extensionCustomScriptConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionCustomScriptConfig, 'enableAutomaticUpgrade') - ? extensionCustomScriptConfig.enableAutomaticUpgrade - : false + typeHandlerVersion: extensionCustomScriptConfig.?typeHandlerVersion ?? (osType == 'Windows' ? '1.10' : '2.1') + autoUpgradeMinorVersion: extensionCustomScriptConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionCustomScriptConfig.?enableAutomaticUpgrade ?? false settings: { fileUris: [ for fileData in extensionCustomScriptConfig.fileData: contains(fileData, 'storageAccountId') @@ -833,9 +791,7 @@ module vmss_customScriptExtension 'extension/main.bicep' = if (extensionCustomSc : fileData.uri ] } - protectedSettings: contains(extensionCustomScriptConfig, 'protectedSettings') - ? extensionCustomScriptConfig.protectedSettings - : {} + protectedSettings: extensionCustomScriptConfig.?protectedSettings ?? {} } dependsOn: [ vmss_desiredStateConfigurationExtension @@ -849,18 +805,10 @@ module vmss_azureDiskEncryptionExtension 'extension/main.bicep' = if (extensionA name: 'AzureDiskEncryption' publisher: 'Microsoft.Azure.Security' type: osType == 'Windows' ? 'AzureDiskEncryption' : 'AzureDiskEncryptionForLinux' - typeHandlerVersion: contains(extensionAzureDiskEncryptionConfig, 'typeHandlerVersion') - ? extensionAzureDiskEncryptionConfig.typeHandlerVersion - : (osType == 'Windows' ? '2.2' : '1.1') - autoUpgradeMinorVersion: contains(extensionAzureDiskEncryptionConfig, 'autoUpgradeMinorVersion') - ? extensionAzureDiskEncryptionConfig.autoUpgradeMinorVersion - : true - enableAutomaticUpgrade: contains(extensionAzureDiskEncryptionConfig, 'enableAutomaticUpgrade') - ? extensionAzureDiskEncryptionConfig.enableAutomaticUpgrade - : false - forceUpdateTag: contains(extensionAzureDiskEncryptionConfig, 'forceUpdateTag') - ? extensionAzureDiskEncryptionConfig.forceUpdateTag - : '1.0' + typeHandlerVersion: extensionAzureDiskEncryptionConfig.?typeHandlerVersion ?? (osType == 'Windows' ? '2.2' : '1.1') + autoUpgradeMinorVersion: extensionAzureDiskEncryptionConfig.?autoUpgradeMinorVersion ?? true + enableAutomaticUpgrade: extensionAzureDiskEncryptionConfig.?enableAutomaticUpgrade ?? false + forceUpdateTag: extensionAzureDiskEncryptionConfig.?forceUpdateTag ?? '1.0' settings: extensionAzureDiskEncryptionConfig.settings } dependsOn: [ diff --git a/avm/res/compute/virtual-machine-scale-set/main.json b/avm/res/compute/virtual-machine-scale-set/main.json index e28a730589..b87a6a0e7c 100644 --- a/avm/res/compute/virtual-machine-scale-set/main.json +++ b/avm/res/compute/virtual-machine-scale-set/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "2308330663598453138" + "version": "0.31.92.45157", + "templateHash": "5570232042557896838" }, "name": "Virtual Machine Scale Sets", "description": "This module deploys a Virtual Machine Scale Set.", @@ -305,9 +305,8 @@ }, "adminPassword": { "type": "securestring", - "defaultValue": "", "metadata": { - "description": "Optional. When specifying a Windows Virtual Machine, this value should be passed." + "description": "Required. When specifying a Windows Virtual Machine, this value should be passed." } }, "customData": { @@ -409,7 +408,8 @@ "extensionMonitoringAgentConfig": { "type": "object", "defaultValue": { - "enabled": false + "enabled": false, + "autoUpgradeMinorVersion": true }, "metadata": { "description": "Optional. The configuration for the [Monitoring Agent] extension. Must at least contain the [\"enabled\": true] property to be executed." @@ -493,7 +493,14 @@ "type": "string", "defaultValue": "", "metadata": { - "description": "Optional. Storage account used to store boot diagnostic information. Boot diagnostics will be disabled if no value is provided." + "description": "Optional. The name of the boot diagnostic storage account. Provide this if you want to use your own storage account for security reasons instead of the recommended Microsoft Managed Storage Account." + } + }, + "bootDiagnosticEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable boot diagnostics to use default managed or secure storage. Defaults set to false." } }, "diagnosticSettings": { @@ -870,7 +877,7 @@ "patchSettings": "[if(and(parameters('provisionVMAgent'), or(or(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), equals(toLower(parameters('patchMode')), toLower('AutomaticByOS'))), equals(toLower(parameters('patchMode')), toLower('Manual')))), createObject('patchMode', parameters('patchMode'), 'assessmentMode', parameters('patchAssessmentMode'), 'automaticByPlatformSettings', if(equals(toLower(parameters('patchMode')), toLower('AutomaticByPlatform')), createObject('bypassPlatformSafetyChecksOnUserSchedule', parameters('bypassPlatformSafetyChecksOnUserSchedule'), 'rebootSetting', parameters('rebootSetting')), null())), null())]", "timeZone": "[if(empty(parameters('timeZone')), null(), parameters('timeZone'))]", "additionalUnattendContent": "[if(empty(parameters('additionalUnattendContent')), null(), parameters('additionalUnattendContent'))]", - "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM')), null())]" + "winRM": "[if(not(empty(parameters('winRM'))), createObject('listeners', parameters('winRM').listeners), null())]" }, "accountSasProperties": { "signedServices": "b", @@ -950,7 +957,7 @@ "osProfile": { "computerNamePrefix": "[parameters('vmNamePrefix')]", "adminUsername": "[parameters('adminUsername')]", - "adminPassword": "[if(not(empty(parameters('adminPassword'))), parameters('adminPassword'), null())]", + "adminPassword": "[parameters('adminPassword')]", "customData": "[if(not(empty(parameters('customData'))), base64(parameters('customData')), null())]", "windowsConfiguration": "[if(equals(parameters('osType'), 'Windows'), variables('windowsConfiguration'), null())]", "linuxConfiguration": "[if(equals(parameters('osType'), 'Linux'), variables('linuxConfiguration'), null())]", @@ -971,7 +978,7 @@ "diskSizeGB": "[parameters('dataDisks')[copyIndex('dataDisks')].diskSizeGB]", "createOption": "[parameters('dataDisks')[copyIndex('dataDisks')].createOption]", "caching": "[parameters('dataDisks')[copyIndex('dataDisks')].caching]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]", + "writeAcceleratorEnabled": "[tryGet(parameters('osDisk'), 'writeAcceleratorEnabled')]", "managedDisk": { "storageAccountType": "[parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.storageAccountType]", "diskEncryptionSet": "[if(contains(parameters('dataDisks')[copyIndex('dataDisks')].managedDisk, 'diskEncryptionSet'), createObject('id', parameters('dataDisks')[copyIndex('dataDisks')].managedDisk.diskEncryptionSet.id), null())]" @@ -985,12 +992,12 @@ "osDisk": { "createOption": "[parameters('osDisk').createOption]", "diskSizeGB": "[parameters('osDisk').diskSizeGB]", - "caching": "[if(contains(parameters('osDisk'), 'caching'), parameters('osDisk').caching, null())]", - "writeAcceleratorEnabled": "[if(contains(parameters('osDisk'), 'writeAcceleratorEnabled'), parameters('osDisk').writeAcceleratorEnabled, null())]", - "diffDiskSettings": "[if(contains(parameters('osDisk'), 'diffDiskSettings'), parameters('osDisk').diffDiskSettings, null())]", - "osType": "[if(contains(parameters('osDisk'), 'osType'), parameters('osDisk').osType, null())]", - "image": "[if(contains(parameters('osDisk'), 'image'), parameters('osDisk').image, null())]", - "vhdContainers": "[if(contains(parameters('osDisk'), 'vhdContainers'), parameters('osDisk').vhdContainers, null())]", + "caching": "[tryGet(parameters('osDisk'), 'caching')]", + "writeAcceleratorEnabled": "[tryGet(parameters('osDisk'), 'writeAcceleratorEnabled')]", + "diffDiskSettings": "[tryGet(parameters('osDisk'), 'diffDiskSettings')]", + "osType": "[tryGet(parameters('osDisk'), 'osType')]", + "image": "[tryGet(parameters('osDisk'), 'image')]", + "vhdContainers": "[tryGet(parameters('osDisk'), 'vhdContainers')]", "managedDisk": { "storageAccountType": "[parameters('osDisk').managedDisk.storageAccountType]", "diskEncryptionSet": "[if(contains(parameters('osDisk').managedDisk, 'diskEncryptionSet'), createObject('id', parameters('osDisk').managedDisk.diskEncryptionSet.id), null())]" @@ -1006,7 +1013,7 @@ "name": "[format('{0}{1}configuration-{2}', parameters('name'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nicSuffix, copyIndex('networkInterfaceConfigurations'))]", "properties": { "primary": "[if(equals(copyIndex('networkInterfaceConfigurations'), 0), true(), null())]", - "enableAcceleratedNetworking": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'enableAcceleratedNetworking'), parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].enableAcceleratedNetworking, true())]", + "enableAcceleratedNetworking": "[coalesce(tryGet(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'enableAcceleratedNetworking'), true())]", "networkSecurityGroup": "[if(contains(parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')], 'nsgId'), createObject('id', parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].nsgId), null())]", "ipConfigurations": "[parameters('nicConfigurations')[copyIndex('networkInterfaceConfigurations')].ipConfigurations]" } @@ -1017,7 +1024,7 @@ }, "diagnosticsProfile": { "bootDiagnostics": { - "enabled": "[not(empty(parameters('bootDiagnosticStorageAccountName')))]", + "enabled": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), true(), parameters('bootDiagnosticEnabled'))]", "storageUri": "[if(not(empty(parameters('bootDiagnosticStorageAccountName'))), format('https://{0}{1}', parameters('bootDiagnosticStorageAccountName'), parameters('bootDiagnosticStorageAccountUri')), null())]" } }, @@ -1144,9 +1151,15 @@ "type": { "value": "JsonADDomainExtension" }, - "typeHandlerVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDomainJoinConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDomainJoinConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDomainJoinConfig').enableAutomaticUpgrade), createObject('value', false()))]", + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'typeHandlerVersion'), '1.3')]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionDomainJoinConfig'), 'enableAutomaticUpgrade'), false())]" + }, "settings": { "value": "[parameters('extensionDomainJoinConfig').settings]" }, @@ -1162,8 +1175,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1311,9 +1324,15 @@ "type": { "value": "IaaSAntimalware" }, - "typeHandlerVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAntiMalwareConfig').typeHandlerVersion), createObject('value', '1.3'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAntiMalwareConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAntiMalwareConfig').enableAutomaticUpgrade), createObject('value', false()))]", + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'typeHandlerVersion'), '1.3')]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionAntiMalwareConfig'), 'enableAutomaticUpgrade'), false())]" + }, "settings": { "value": "[parameters('extensionAntiMalwareConfig').settings]" } @@ -1324,8 +1343,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1472,9 +1491,13 @@ "value": "Microsoft.Azure.Monitor" }, "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureMonitorWindowsAgent'), createObject('value', 'AzureMonitorLinuxAgent'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.22'), createObject('value', '1.29')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionMonitoringAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]", + "typeHandlerVersion": "[if(not(equals(tryGet(parameters('extensionMonitoringAgentConfig'), 'typeHandlerVersion'), null())), createObject('value', parameters('extensionMonitoringAgentConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.22'), createObject('value', '1.29')))]", + "autoUpgradeMinorVersion": { + "value": "[coalesce(parameters('extensionMonitoringAgentConfig').autoUpgradeMinorVersion, true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionMonitoringAgentConfig'), 'enableAutomaticUpgrade'), false())]" + }, "settings": { "value": { "workspaceId": "[if(not(empty(parameters('monitoringWorkspaceResourceId'))), reference('vmss_logAnalyticsWorkspace').customerId, '')]", @@ -1493,8 +1516,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1642,9 +1665,15 @@ "value": "Microsoft.Azure.Monitoring.DependencyAgent" }, "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'DependencyAgentWindows'), createObject('value', 'DependencyAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDependencyAgentConfig').typeHandlerVersion), createObject('value', '9.5'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDependencyAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDependencyAgentConfig').enableAutomaticUpgrade), createObject('value', true()))]" + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'typeHandlerVersion'), '9.5')]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionDependencyAgentConfig'), 'enableAutomaticUpgrade'), true())]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1652,8 +1681,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1800,9 +1829,15 @@ "value": "Microsoft.Azure.NetworkWatcher" }, "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'NetworkWatcherAgentWindows'), createObject('value', 'NetworkWatcherAgentLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').typeHandlerVersion), createObject('value', '1.4'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionNetworkWatcherAgentConfig').enableAutomaticUpgrade), createObject('value', false()))]" + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'typeHandlerVersion'), '1.4')]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionNetworkWatcherAgentConfig'), 'enableAutomaticUpgrade'), false())]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1810,8 +1845,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -1960,11 +1995,21 @@ "type": { "value": "DSC" }, - "typeHandlerVersion": "[if(contains(parameters('extensionDSCConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionDSCConfig').typeHandlerVersion), createObject('value', '2.77'))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionDSCConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionDSCConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "settings": "[if(contains(parameters('extensionDSCConfig'), 'settings'), createObject('value', parameters('extensionDSCConfig').settings), createObject('value', createObject()))]", - "protectedSettings": "[if(contains(parameters('extensionDSCConfig'), 'protectedSettings'), createObject('value', parameters('extensionDSCConfig').protectedSettings), createObject('value', createObject()))]" + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'typeHandlerVersion'), '2.77')]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'enableAutomaticUpgrade'), false())]" + }, + "settings": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'settings'), createObject())]" + }, + "protectedSettings": { + "value": "[coalesce(tryGet(parameters('extensionDSCConfig'), 'protectedSettings'), createObject())]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -1972,8 +2017,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2118,9 +2163,15 @@ }, "publisher": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'Microsoft.Compute'), createObject('value', 'Microsoft.Azure.Extensions'))]", "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'CustomScriptExtension'), createObject('value', 'CustomScript'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionCustomScriptConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '1.10'), createObject('value', '2.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionCustomScriptConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionCustomScriptConfig').enableAutomaticUpgrade), createObject('value', false()))]", + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '1.10', '2.1'))]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'enableAutomaticUpgrade'), false())]" + }, "settings": { "value": { "copy": [ @@ -2132,7 +2183,9 @@ ] } }, - "protectedSettings": "[if(contains(parameters('extensionCustomScriptConfig'), 'protectedSettings'), createObject('value', parameters('extensionCustomScriptConfig').protectedSettings), createObject('value', createObject()))]" + "protectedSettings": { + "value": "[coalesce(tryGet(parameters('extensionCustomScriptConfig'), 'protectedSettings'), createObject())]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -2140,8 +2193,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", @@ -2288,10 +2341,18 @@ "value": "Microsoft.Azure.Security" }, "type": "[if(equals(parameters('osType'), 'Windows'), createObject('value', 'AzureDiskEncryption'), createObject('value', 'AzureDiskEncryptionForLinux'))]", - "typeHandlerVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').typeHandlerVersion), if(equals(parameters('osType'), 'Windows'), createObject('value', '2.2'), createObject('value', '1.1')))]", - "autoUpgradeMinorVersion": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').autoUpgradeMinorVersion), createObject('value', true()))]", - "enableAutomaticUpgrade": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').enableAutomaticUpgrade), createObject('value', false()))]", - "forceUpdateTag": "[if(contains(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), createObject('value', parameters('extensionAzureDiskEncryptionConfig').forceUpdateTag), createObject('value', '1.0'))]", + "typeHandlerVersion": { + "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'typeHandlerVersion'), if(equals(parameters('osType'), 'Windows'), '2.2', '1.1'))]" + }, + "autoUpgradeMinorVersion": { + "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'autoUpgradeMinorVersion'), true())]" + }, + "enableAutomaticUpgrade": { + "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'enableAutomaticUpgrade'), false())]" + }, + "forceUpdateTag": { + "value": "[coalesce(tryGet(parameters('extensionAzureDiskEncryptionConfig'), 'forceUpdateTag'), '1.0')]" + }, "settings": { "value": "[parameters('extensionAzureDiskEncryptionConfig').settings]" } @@ -2302,8 +2363,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "10358696382777462468" + "version": "0.31.92.45157", + "templateHash": "10486700103731235941" }, "name": "Virtual Machine Scale Set Extensions", "description": "This module deploys a Virtual Machine Scale Set Extension.", diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep index c762304bb7..780da5e663 100644 --- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep +++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.defaults/main.test.bicep @@ -17,6 +17,10 @@ param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'cvmsslinmin' +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' @@ -56,6 +60,7 @@ module testDeployment '../../../main.bicep' = [ location: resourceLocation name: '${namePrefix}${serviceShort}001' adminUsername: 'scaleSetAdmin' + adminPassword: password imageReference: { publisher: 'Canonical' offer: '0001-com-ubuntu-server-jammy' diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep index 391d985bcd..1a1d226be0 100644 --- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep +++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.max/main.test.bicep @@ -17,6 +17,10 @@ param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'cvmsslinmax' +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + @description('Optional. A token to inject into the name of each resource.') param namePrefix string = '#_namePrefix_#' @@ -73,6 +77,7 @@ module testDeployment '../../../main.bicep' = [ location: resourceLocation name: '${namePrefix}${serviceShort}001' adminUsername: 'scaleSetAdmin' + adminPassword: password imageReference: { publisher: 'Canonical' offer: '0001-com-ubuntu-server-jammy' @@ -91,6 +96,7 @@ module testDeployment '../../../main.bicep' = [ availabilityZones: [ '2' ] + bootDiagnosticEnabled: true bootDiagnosticStorageAccountName: nestedDependencies.outputs.storageAccountName dataDisks: [ { @@ -156,6 +162,7 @@ module testDeployment '../../../main.bicep' = [ } extensionMonitoringAgentConfig: { enabled: true + autoUpgradeMinorVersion: true } extensionNetworkWatcherAgentConfig: { enabled: true diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep index 0123911437..451b30d416 100644 --- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep +++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/linux.ssecmk/main.test.bicep @@ -17,6 +17,10 @@ param resourceLocation string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'cvmsslcmk' +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') @@ -60,10 +64,12 @@ module testDeployment '../../../main.bicep' = [ params: { extensionMonitoringAgentConfig: { enabled: true + autoUpgradeMinorVersion: true } location: resourceLocation name: '${namePrefix}${serviceShort}001' adminUsername: 'scaleSetAdmin' + adminPassword: password imageReference: { publisher: 'Canonical' offer: '0001-com-ubuntu-server-jammy' diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.max/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.max/main.test.bicep index 344ca00812..2200317521 100644 --- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.max/main.test.bicep +++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.max/main.test.bicep @@ -157,6 +157,7 @@ module testDeployment '../../../main.bicep' = [ } extensionMonitoringAgentConfig: { enabled: true + autoUpgradeMinorVersion: true } extensionNetworkWatcherAgentConfig: { enabled: true diff --git a/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.waf-aligned/main.test.bicep b/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.waf-aligned/main.test.bicep index 0374439530..628decf330 100644 --- a/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.waf-aligned/main.test.bicep +++ b/avm/res/compute/virtual-machine-scale-set/tests/e2e/windows.waf-aligned/main.test.bicep @@ -157,6 +157,7 @@ module testDeployment '../../../main.bicep' = [ } extensionMonitoringAgentConfig: { enabled: true + autoUpgradeMinorVersion: true } extensionNetworkWatcherAgentConfig: { enabled: true diff --git a/avm/res/compute/virtual-machine-scale-set/version.json b/avm/res/compute/virtual-machine-scale-set/version.json index 3f863a2bec..04a0dd1a80 100644 --- a/avm/res/compute/virtual-machine-scale-set/version.json +++ b/avm/res/compute/virtual-machine-scale-set/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", + "version": "0.5", "pathFilters": [ "./main.json" ] -} \ No newline at end of file +} From e6f1380cfd1e0bbc21ea26afda39e8e6e6977cda Mon Sep 17 00:00:00 2001 From: Kris Baranek <20225789+krbar@users.noreply.github.com> Date: Thu, 21 Nov 2024 23:26:34 +0100 Subject: [PATCH 5/6] feat: Add AVM Common Types to the `avm/res/insights/data-collection-endpoint` module (#3805) ## Description Utilizing AVM Common Types in `avm/res/insights/data-collection-endpoint` module ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.insights.data-collection-endpoint](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.data-collection-endpoint.yml/badge.svg?branch=users%2Fkrbar%2FdceCommonTypes)](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.data-collection-endpoint.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .../data-collection-endpoint/README.md | 10 ++ .../data-collection-endpoint/main.bicep | 45 +---- .../data-collection-endpoint/main.json | 159 ++++++++++-------- .../data-collection-endpoint/version.json | 10 +- 4 files changed, 106 insertions(+), 118 deletions(-) diff --git a/avm/res/insights/data-collection-endpoint/README.md b/avm/res/insights/data-collection-endpoint/README.md index f84c7e1926..b6350fd2f1 100644 --- a/avm/res/insights/data-collection-endpoint/README.md +++ b/avm/res/insights/data-collection-endpoint/README.md @@ -8,6 +8,7 @@ This module deploys a Data Collection Endpoint. - [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) - [Data Collection](#Data-Collection) ## Resource Types @@ -468,6 +469,7 @@ The configuration to set whether network access from public internet to the endp [ 'Disabled' 'Enabled' + 'SecuredByPerimeter' ] ``` @@ -590,6 +592,14 @@ Resource tags. | `resourceGroupName` | string | The name of the resource group the dataCollectionEndpoint was created in. | | `resourceId` | string | The resource ID of the dataCollectionEndpoint. | +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.3.0` | Remote reference | + ## Data Collection The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/insights/data-collection-endpoint/main.bicep b/avm/res/insights/data-collection-endpoint/main.bicep index f9a3eb3402..18ac892b1c 100644 --- a/avm/res/insights/data-collection-endpoint/main.bicep +++ b/avm/res/insights/data-collection-endpoint/main.bicep @@ -25,16 +25,19 @@ param kind string = 'Linux' @sys.description('Optional. Location for all Resources.') param location string = resourceGroup().location +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @sys.description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @sys.description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? @sys.description('Optional. The configuration to set whether network access from public internet to the endpoints are allowed.') @allowed([ 'Enabled' 'Disabled' + 'SecuredByPerimeter' ]) param publicNetworkAccess string = 'Disabled' @@ -148,41 +151,3 @@ output resourceGroupName string = resourceGroup().name @sys.description('The location the resource was deployed into.') output location string = dataCollectionEndpoint.location - -// =============== // -// Definitions // -// =============== // - -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') - name: string? - - @sys.description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? diff --git a/avm/res/insights/data-collection-endpoint/main.json b/avm/res/insights/data-collection-endpoint/main.json index 20f7d5a9b0..018d4dd711 100644 --- a/avm/res/insights/data-collection-endpoint/main.json +++ b/avm/res/insights/data-collection-endpoint/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "3266035926509206513" + "version": "0.31.92.45157", + "templateHash": "426613275958311158" }, "name": "Data Collection Endpoints", "description": "This module deploys a Data Collection Endpoint.", @@ -36,80 +36,87 @@ } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" + } + } }, "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" + } + } } }, "parameters": { @@ -153,12 +160,17 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } @@ -168,7 +180,8 @@ "defaultValue": "Disabled", "allowedValues": [ "Enabled", - "Disabled" + "Disabled", + "SecuredByPerimeter" ], "metadata": { "description": "Optional. The configuration to set whether network access from public internet to the endpoints are allowed." diff --git a/avm/res/insights/data-collection-endpoint/version.json b/avm/res/insights/data-collection-endpoint/version.json index 3f863a2bec..ea4f3b6e67 100644 --- a/avm/res/insights/data-collection-endpoint/version.json +++ b/avm/res/insights/data-collection-endpoint/version.json @@ -1,7 +1,7 @@ { - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", - "pathFilters": [ - "./main.json" - ] + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.5", + "pathFilters": [ + "./main.json" + ] } \ No newline at end of file From b7ee1d6f38e5172d1bead284cdbe5659c42af451 Mon Sep 17 00:00:00 2001 From: Kris Baranek <20225789+krbar@users.noreply.github.com> Date: Thu, 21 Nov 2024 23:28:26 +0100 Subject: [PATCH 6/6] feat: Add AVM Common Types to the `avm/res/insights/data-collection-rule` module (#3804) ## Description Utilizing AVM Common Types in `avm/res/insights/data-collection-rule` module ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.insights.data-collection-rule](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.data-collection-rule.yml/badge.svg?branch=users%2Fkrbar%2FudrCommonTypes)](https://github.com/krbar/bicep-registry-modules/actions/workflows/avm.res.insights.data-collection-rule.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [x] I'm sure there are no other open Pull Requests for the same update/change - [x] I have run `Set-AVMModule` locally to generate the supporting module files. - [x] My corresponding pipelines / checks run clean and green without any errors or warnings --- .../insights/data-collection-rule/README.md | 13 +- .../insights/data-collection-rule/main.bicep | 22 +- .../insights/data-collection-rule/main.json | 363 +++++++++--------- .../modules/nested_conditionalScope.bicep | 46 +-- 4 files changed, 213 insertions(+), 231 deletions(-) diff --git a/avm/res/insights/data-collection-rule/README.md b/avm/res/insights/data-collection-rule/README.md index cc7b091211..073628f6c0 100644 --- a/avm/res/insights/data-collection-rule/README.md +++ b/avm/res/insights/data-collection-rule/README.md @@ -8,6 +8,7 @@ This module deploys a Data Collection Rule. - [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) - [Data Collection](#Data-Collection) ## Resource Types @@ -2804,7 +2805,7 @@ param tags = { | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of, and up to one managed identity is supported. | +| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | | [`tags`](#parameter-tags) | object | Resource tags. | @@ -2876,7 +2877,7 @@ Specify the name of lock. ### Parameter: `managedIdentities` -The managed identity definition for this resource. Only one type of, and up to one managed identity is supported. +The managed identity definition for this resource. - Required: No - Type: object @@ -3022,6 +3023,14 @@ Resource tags. | `resourceId` | string | The resource ID of the dataCollectionRule. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.3.0` | Remote reference | + ## Data Collection The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/insights/data-collection-rule/main.bicep b/avm/res/insights/data-collection-rule/main.bicep index 29d61583fe..55797d4a15 100644 --- a/avm/res/insights/data-collection-rule/main.bicep +++ b/avm/res/insights/data-collection-rule/main.bicep @@ -18,14 +18,17 @@ param enableTelemetry bool = true @description('Optional. Location for all Resources.') param location string = resourceGroup().location +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? -@description('Optional. The managed identity definition for this resource. Only one type of, and up to one managed identity is supported.') -param managedIdentities managedIdentitiesType +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' +@description('Optional. The managed identity definition for this resource.') +param managedIdentities managedIdentityAllType? +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? @description('Optional. Resource tags.') param tags object? @@ -159,16 +162,7 @@ output systemAssignedMIPrincipalId string = dataCollectionRuleProperties.kind == // Definitions // // =============== // -import { roleAssignmentType, lockType } from 'modules/nested_conditionalScope.bicep' - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption.') - userAssignedResourceIds: string[]? -}? - +@export() @discriminator('kind') type dataCollectionRulePropertiesType = | linuxDcrPropertiesType diff --git a/avm/res/insights/data-collection-rule/main.json b/avm/res/insights/data-collection-rule/main.json index c9b904f82f..149cf1d812 100644 --- a/avm/res/insights/data-collection-rule/main.json +++ b/avm/res/insights/data-collection-rule/main.json @@ -5,37 +5,14 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "6159067500010827927" + "version": "0.31.92.45157", + "templateHash": "14881778773754127105" }, "name": "Data Collection Rules", "description": "This module deploys a Data Collection Rule.", "owner": "Azure/module-maintainers" }, "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." - } - } - }, - "nullable": true - }, "dataCollectionRulePropertiesType": { "type": "object", "discriminator": { @@ -54,6 +31,9 @@ "$ref": "#/definitions/agentSettingsDcrPropertiesType" } } + }, + "metadata": { + "__bicep_export!": true } }, "linuxDcrPropertiesType": { @@ -300,88 +280,113 @@ } } }, - "nullable": true, "metadata": { + "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "modules/nested_conditionalScope.bicep" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" } } }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." } } }, - "nullable": true, "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "modules/nested_conditionalScope.bicep" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" } } } @@ -415,18 +420,24 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of, and up to one managed identity is supported." + "description": "Optional. The managed identity definition for this resource." } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } @@ -522,8 +533,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.29.47.4906", - "templateHash": "13511678579138725426" + "version": "0.31.92.45157", + "templateHash": "9020805060946792832" } }, "definitions": { @@ -550,91 +561,96 @@ } } }, - "nullable": true, "metadata": { - "__bicep_export!": true + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" + } } }, "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, - "nullable": true, "metadata": { - "__bicep_export!": true + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.3.0" + } } } }, "parameters": { "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } @@ -648,6 +664,7 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } diff --git a/avm/res/insights/data-collection-rule/modules/nested_conditionalScope.bicep b/avm/res/insights/data-collection-rule/modules/nested_conditionalScope.bicep index 8ef88bd7df..bff1dd7cbc 100644 --- a/avm/res/insights/data-collection-rule/modules/nested_conditionalScope.bicep +++ b/avm/res/insights/data-collection-rule/modules/nested_conditionalScope.bicep @@ -1,11 +1,13 @@ +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? @description('Optional. Built-in role names.') param builtInRoleNames object = {} +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.3.0' @description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? @description('Required. Name of the Data Collection Rule to assign the role(s) to.') param dataCollectionRuleName string @@ -51,43 +53,3 @@ resource dataCollectionRule_lock 'Microsoft.Authorization/locks@2020-05-01' = if : 'Cannot delete or modify the resource or child resources.' } } - -// =============== // -// Definitions // -// =============== // - -@export() -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -@export() -type roleAssignmentType = { - @description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') - name: string? - - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]?