From 2194eb101ae77fa5163ca6e7ba4c7475f2802959 Mon Sep 17 00:00:00 2001 From: Tao Yang Date: Tue, 6 Feb 2024 03:04:59 +1100 Subject: [PATCH] feat: add additional input parameters and child module for App Insights AVM module (#896) ## Description closes #895 ## Pipeline [![avm.res.insights.component](https://github.com/tyconsulting/bicep-registry-modules/actions/workflows/avm.res.insights.component.yml/badge.svg?branch=users%2Ftao%2F895_appInsights)](https://github.com/tyconsulting/bicep-registry-modules/actions/workflows/avm.res.insights.component.yml) ## Adding a new module - [ ] A proposal has been submitted and approved. - [ ] I have included "Closes #{module_proposal_issue_number}" in the PR description. - [ ] I have run `brm validate` locally to verify the module files. - [ ] I have run deployment tests locally to ensure the module is deployable. ## Updating an existing module - [ ] This is a bug fix: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] I have run `brm validate` locally to verify the module files. - [x] I have run deployment tests locally to ensure the module is deployable. - [x] I have read the [Updating an existing module](https://github.com/Azure/bicep-registry-modules/blob/main/CONTRIBUTING.md#updating-an-existing-module) section in the contributing guide and updated the `version.json` file properly: - [ ] The PR contains backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`. - [x] The PR contains backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] The PR contains breaking changes, and I have bumped the MAJOR version in `version.json`. - [x] I have updated the examples in README with the latest module version number. --------- Co-authored-by: Kris Baranek --- avm/res/insights/component/README.md | 53 ++++++++ .../component/linkedStorageAccounts/README.md | 62 ++++++++++ .../linkedStorageAccounts/main.bicep | 30 +++++ .../component/linkedStorageAccounts/main.json | 61 +++++++++ .../linkedStorageAccounts/version.json | 7 ++ avm/res/insights/component/main.bicep | 23 ++++ avm/res/insights/component/main.json | 117 +++++++++++++++++- .../tests/e2e/max/dependencies.bicep | 26 +++- .../component/tests/e2e/max/main.test.bicep | 5 + avm/res/insights/component/version.json | 10 +- 10 files changed, 386 insertions(+), 8 deletions(-) create mode 100644 avm/res/insights/component/linkedStorageAccounts/README.md create mode 100644 avm/res/insights/component/linkedStorageAccounts/main.bicep create mode 100644 avm/res/insights/component/linkedStorageAccounts/main.json create mode 100644 avm/res/insights/component/linkedStorageAccounts/version.json diff --git a/avm/res/insights/component/README.md b/avm/res/insights/component/README.md index d75b5b633b..af0f62f3c8 100644 --- a/avm/res/insights/component/README.md +++ b/avm/res/insights/component/README.md @@ -17,6 +17,7 @@ This component deploys an Application Insights instance. | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | | `Microsoft.Insights/components` | [2020-02-02](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2020-02-02/components) | +| `microsoft.insights/components/linkedStorageAccounts` | [2020-03-01-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2020-03-01-preview/components/linkedStorageAccounts) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | ## Usage examples @@ -114,6 +115,10 @@ module component 'br/public:avm/res/insights/component:' = { workspaceResourceId: '' } ] + disableIpMasking: false + disableLocalAuth: true + forceCustomerStorageForProfiler: true + linkedStorageAccountResourceId: '' location: '' roleAssignments: [ { @@ -177,6 +182,18 @@ module component 'br/public:avm/res/insights/component:' = { } ] }, + "disableIpMasking": { + "value": false + }, + "disableLocalAuth": { + "value": true + }, + "forceCustomerStorageForProfiler": { + "value": true + }, + "linkedStorageAccountResourceId": { + "value": "" + }, "location": { "value": "" }, @@ -323,8 +340,12 @@ module component 'br/public:avm/res/insights/component:' = { | :-- | :-- | :-- | | [`applicationType`](#parameter-applicationtype) | string | Application type. | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | +| [`disableIpMasking`](#parameter-disableipmasking) | bool | Disable IP masking. Default value is set to true. | +| [`disableLocalAuth`](#parameter-disablelocalauth) | bool | Disable Non-AAD based Auth. Default value is set to false. | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`forceCustomerStorageForProfiler`](#parameter-forcecustomerstorageforprofiler) | bool | Force users to create their own storage account for profiler and debugger. | | [`kind`](#parameter-kind) | string | The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. | +| [`linkedStorageAccountResourceId`](#parameter-linkedstorageaccountresourceid) | string | Linked storage account resource ID. | | [`location`](#parameter-location) | string | Location for all Resources. | | [`publicNetworkAccessForIngestion`](#parameter-publicnetworkaccessforingestion) | string | The network access type for accessing Application Insights ingestion. - Enabled or Disabled. | | [`publicNetworkAccessForQuery`](#parameter-publicnetworkaccessforquery) | string | The network access type for accessing Application Insights query. - Enabled or Disabled. | @@ -453,6 +474,22 @@ Resource ID of the diagnostic log analytics workspace. For security reasons, it - Required: No - Type: string +### Parameter: `disableIpMasking` + +Disable IP masking. Default value is set to true. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `disableLocalAuth` + +Disable Non-AAD based Auth. Default value is set to false. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `enableTelemetry` Enable/Disable usage telemetry for module. @@ -461,6 +498,14 @@ Enable/Disable usage telemetry for module. - Type: bool - Default: `True` +### Parameter: `forceCustomerStorageForProfiler` + +Force users to create their own storage account for profiler and debugger. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `kind` The kind of application that this component refers to, used to customize UI. This value is a freeform string, values should typically be one of the following: web, ios, other, store, java, phone. @@ -469,6 +514,14 @@ The kind of application that this component refers to, used to customize UI. Thi - Type: string - Default: `''` +### Parameter: `linkedStorageAccountResourceId` + +Linked storage account resource ID. + +- Required: No +- Type: string +- Default: `''` + ### Parameter: `location` Location for all Resources. diff --git a/avm/res/insights/component/linkedStorageAccounts/README.md b/avm/res/insights/component/linkedStorageAccounts/README.md new file mode 100644 index 0000000000..83106ae2fd --- /dev/null +++ b/avm/res/insights/component/linkedStorageAccounts/README.md @@ -0,0 +1,62 @@ +# Application Insights Linked Storage Account `[microsoft.insights/components/linkedStorageAccounts]` + +This component deploys an Application Insights Linked Storage Account. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) +- [Data Collection](#Data-Collection) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `microsoft.insights/components/linkedStorageAccounts` | [2020-03-01-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2020-03-01-preview/components/linkedStorageAccounts) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`storageAccountResourceId`](#parameter-storageaccountresourceid) | string | Linked storage account resource ID. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appInsightsName`](#parameter-appinsightsname) | string | The name of the parent Application Insights instance. Required if the template is used in a standalone deployment. | + +### Parameter: `storageAccountResourceId` + +Linked storage account resource ID. + +- Required: Yes +- Type: string + +### Parameter: `appInsightsName` + +The name of the parent Application Insights instance. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the Linked Storage Account. | +| `resourceGroupName` | string | The resource group the agent pool was deployed into. | +| `resourceId` | string | The resource ID of the Linked Storage Account. | + +## Cross-referenced modules + +_None_ + +## Data Collection + +The software may collect information about you and your use of the software and send it to Microsoft. Microsoft may use this information to provide services and improve our products and services. You may turn off the telemetry as described in the [repository](https://aka.ms/avm/telemetry). There are also some features in the software that may enable you and Microsoft to collect data from users of your applications. If you use these features, you must comply with applicable law, including providing appropriate notices to users of your applications together with a copy of Microsoft’s privacy statement. Our privacy statement is located at . You can learn more about data collection and use in the help documentation and our privacy statement. Your use of the software operates as your consent to these practices. diff --git a/avm/res/insights/component/linkedStorageAccounts/main.bicep b/avm/res/insights/component/linkedStorageAccounts/main.bicep new file mode 100644 index 0000000000..065b289da1 --- /dev/null +++ b/avm/res/insights/component/linkedStorageAccounts/main.bicep @@ -0,0 +1,30 @@ +metadata name = 'Application Insights Linked Storage Account' +metadata description = 'This component deploys an Application Insights Linked Storage Account.' +metadata owner = 'Azure/module-maintainers' + +@description('Conditional. The name of the parent Application Insights instance. Required if the template is used in a standalone deployment.') +param appInsightsName string + +@description('Required. Linked storage account resource ID.') +param storageAccountResourceId string + +resource appInsights 'Microsoft.Insights/components@2020-02-02' existing = { + name: appInsightsName +} + +resource linkedStorageAccount 'Microsoft.Insights/components/linkedStorageAccounts@2020-03-01-preview' = { + name: 'ServiceProfiler' + parent: appInsights + properties: { + linkedStorageAccount: storageAccountResourceId + } +} + +@description('The name of the Linked Storage Account.') +output name string = linkedStorageAccount.name + +@description('The resource ID of the Linked Storage Account.') +output resourceId string = linkedStorageAccount.id + +@description('The resource group the agent pool was deployed into.') +output resourceGroupName string = resourceGroup().name diff --git a/avm/res/insights/component/linkedStorageAccounts/main.json b/avm/res/insights/component/linkedStorageAccounts/main.json new file mode 100644 index 0000000000..61ad1b2ed7 --- /dev/null +++ b/avm/res/insights/component/linkedStorageAccounts/main.json @@ -0,0 +1,61 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15481388144279509267" + }, + "name": "Application Insights Linked Storage Account", + "description": "This component deploys an Application Insights Linked Storage Account.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "appInsightsName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Application Insights instance. Required if the template is used in a standalone deployment." + } + }, + "storageAccountResourceId": { + "type": "string", + "metadata": { + "description": "Required. Linked storage account resource ID." + } + } + }, + "resources": [ + { + "type": "microsoft.insights/components/linkedStorageAccounts", + "apiVersion": "2020-03-01-preview", + "name": "[format('{0}/{1}', parameters('appInsightsName'), 'ServiceProfiler')]", + "properties": { + "linkedStorageAccount": "[parameters('storageAccountResourceId')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the Linked Storage Account." + }, + "value": "ServiceProfiler" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Linked Storage Account." + }, + "value": "[resourceId('microsoft.insights/components/linkedStorageAccounts', parameters('appInsightsName'), 'ServiceProfiler')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the agent pool was deployed into." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/avm/res/insights/component/linkedStorageAccounts/version.json b/avm/res/insights/component/linkedStorageAccounts/version.json new file mode 100644 index 0000000000..729ac87673 --- /dev/null +++ b/avm/res/insights/component/linkedStorageAccounts/version.json @@ -0,0 +1,7 @@ +{ + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.2", + "pathFilters": [ + "./main.json" + ] +} \ No newline at end of file diff --git a/avm/res/insights/component/main.bicep b/avm/res/insights/component/main.bicep index 078e1404da..2b0732c4f9 100644 --- a/avm/res/insights/component/main.bicep +++ b/avm/res/insights/component/main.bicep @@ -15,6 +15,18 @@ param applicationType string = 'web' @description('Required. Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property.') param workspaceResourceId string +@description('Optional. Disable IP masking. Default value is set to true.') +param disableIpMasking bool = true + +@description('Optional. Disable Non-AAD based Auth. Default value is set to false.') +param disableLocalAuth bool = false + +@description('Optional. Force users to create their own storage account for profiler and debugger.') +param forceCustomerStorageForProfiler bool = false + +@description('Optional. Linked storage account resource ID.') +param linkedStorageAccountResourceId string = '' + @description('Optional. The network access type for accessing Application Insights ingestion. - Enabled or Disabled.') @allowed([ 'Enabled' @@ -99,6 +111,9 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = { kind: kind properties: { Application_Type: applicationType + DisableIpMasking: disableIpMasking + DisableLocalAuth: disableLocalAuth + ForceCustomerStorageForProfiler: forceCustomerStorageForProfiler WorkspaceResourceId: workspaceResourceId publicNetworkAccessForIngestion: publicNetworkAccessForIngestion publicNetworkAccessForQuery: publicNetworkAccessForQuery @@ -107,6 +122,14 @@ resource appInsights 'Microsoft.Insights/components@2020-02-02' = { } } +module linkedStorageAccount 'linkedStorageAccounts/main.bicep' = if (!empty(linkedStorageAccountResourceId)) { + name: '${uniqueString(deployment().name, location)}-appInsights-linkedStorageAccount' + params: { + appInsightsName: appInsights.name + storageAccountResourceId: linkedStorageAccountResourceId + } +} + resource appInsights_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { name: guid(appInsights.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) properties: { diff --git a/avm/res/insights/component/main.json b/avm/res/insights/component/main.json index 019623c96f..a4d8aadace 100644 --- a/avm/res/insights/component/main.json +++ b/avm/res/insights/component/main.json @@ -6,7 +6,7 @@ "_generator": { "name": "bicep", "version": "0.24.24.22086", - "templateHash": "14533830287443568216" + "templateHash": "18263440688499285591" }, "name": "Application Insights", "description": "This component deploys an Application Insights instance.", @@ -210,6 +210,34 @@ "description": "Required. Resource ID of the log analytics workspace which the data will be ingested to. This property is required to create an application with this API version. Applications from older versions will not have this property." } }, + "disableIpMasking": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Disable IP masking. Default value is set to true." + } + }, + "disableLocalAuth": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Disable Non-AAD based Auth. Default value is set to false." + } + }, + "forceCustomerStorageForProfiler": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Force users to create their own storage account for profiler and debugger." + } + }, + "linkedStorageAccountResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Linked storage account resource ID." + } + }, "publicNetworkAccessForIngestion": { "type": "string", "defaultValue": "Enabled", @@ -339,6 +367,9 @@ "kind": "[parameters('kind')]", "properties": { "Application_Type": "[parameters('applicationType')]", + "DisableIpMasking": "[parameters('disableIpMasking')]", + "DisableLocalAuth": "[parameters('disableLocalAuth')]", + "ForceCustomerStorageForProfiler": "[parameters('forceCustomerStorageForProfiler')]", "WorkspaceResourceId": "[parameters('workspaceResourceId')]", "publicNetworkAccessForIngestion": "[parameters('publicNetworkAccessForIngestion')]", "publicNetworkAccessForQuery": "[parameters('publicNetworkAccessForQuery')]", @@ -390,6 +421,90 @@ "dependsOn": [ "appInsights" ] + }, + "linkedStorageAccount": { + "condition": "[not(empty(parameters('linkedStorageAccountResourceId')))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-appInsights-linkedStorageAccount', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "appInsightsName": { + "value": "[parameters('name')]" + }, + "storageAccountResourceId": { + "value": "[parameters('linkedStorageAccountResourceId')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.24.24.22086", + "templateHash": "15481388144279509267" + }, + "name": "Application Insights Linked Storage Account", + "description": "This component deploys an Application Insights Linked Storage Account.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "appInsightsName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Application Insights instance. Required if the template is used in a standalone deployment." + } + }, + "storageAccountResourceId": { + "type": "string", + "metadata": { + "description": "Required. Linked storage account resource ID." + } + } + }, + "resources": [ + { + "type": "microsoft.insights/components/linkedStorageAccounts", + "apiVersion": "2020-03-01-preview", + "name": "[format('{0}/{1}', parameters('appInsightsName'), 'ServiceProfiler')]", + "properties": { + "linkedStorageAccount": "[parameters('storageAccountResourceId')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the Linked Storage Account." + }, + "value": "ServiceProfiler" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Linked Storage Account." + }, + "value": "[resourceId('microsoft.insights/components/linkedStorageAccounts', parameters('appInsightsName'), 'ServiceProfiler')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the agent pool was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "appInsights" + ] } }, "outputs": { diff --git a/avm/res/insights/component/tests/e2e/max/dependencies.bicep b/avm/res/insights/component/tests/e2e/max/dependencies.bicep index a7f42aee7b..dfc9e8a89c 100644 --- a/avm/res/insights/component/tests/e2e/max/dependencies.bicep +++ b/avm/res/insights/component/tests/e2e/max/dependencies.bicep @@ -4,10 +4,32 @@ param location string = resourceGroup().location @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { - name: managedIdentityName - location: location + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } + } } +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + @description('The principal ID of the created Managed Identity.') output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/avm/res/insights/component/tests/e2e/max/main.test.bicep b/avm/res/insights/component/tests/e2e/max/main.test.bicep index fe5aa82226..1f587dd740 100644 --- a/avm/res/insights/component/tests/e2e/max/main.test.bicep +++ b/avm/res/insights/component/tests/e2e/max/main.test.bicep @@ -36,6 +36,7 @@ module nestedDependencies 'dependencies.bicep' = { name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' params: { managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' location: resourceLocation } } @@ -64,6 +65,10 @@ module testDeployment '../../../main.bicep' = { params: { name: '${namePrefix}${serviceShort}001' location: resourceLocation + disableIpMasking: false + disableLocalAuth: true + forceCustomerStorageForProfiler: true + linkedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId diagnosticSettings: [ { diff --git a/avm/res/insights/component/version.json b/avm/res/insights/component/version.json index 83083db694..729ac87673 100644 --- a/avm/res/insights/component/version.json +++ b/avm/res/insights/component/version.json @@ -1,7 +1,7 @@ { - "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", - "pathFilters": [ - "./main.json" - ] + "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", + "version": "0.2", + "pathFilters": [ + "./main.json" + ] } \ No newline at end of file