Skip to content

Commit

Permalink
Merge branch 'Azure:main' into Issue1333-vpn-server-configuration
Browse files Browse the repository at this point in the history
  • Loading branch information
ericscheffler authored Aug 30, 2024
2 parents 1f91282 + 604beb8 commit b524163
Show file tree
Hide file tree
Showing 88 changed files with 6,573 additions and 2,634 deletions.
4 changes: 2 additions & 2 deletions avm/ptn/authorization/policy-assignment/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -875,7 +875,7 @@ module policyAssignment 'br/public:avm/ptn/authorization/policy-assignment:<vers
| [`parameters`](#parameter-parameters) | object | Parameters for the policy assignment if needed. |
| [`resourceGroupName`](#parameter-resourcegroupname) | string | The Target Scope for the Policy. The name of the resource group for the policy assignment. |
| [`resourceSelectors`](#parameter-resourceselectors) | array | The resource selector list to filter policies by resource properties. Facilitates safe deployment practices (SDP) by enabling gradual roll out policy assignments based on factors like resource location, resource type, or whether a resource has a location. |
| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
| [`roleDefinitionIds`](#parameter-roledefinitionids) | array | The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition. |
| [`subscriptionId`](#parameter-subscriptionid) | string | The Target Scope for the Policy. The subscription ID of the subscription for the policy assignment. |
| [`userAssignedIdentityId`](#parameter-userassignedidentityid) | string | The Resource ID for the user assigned identity to assign to the policy assignment. |

Expand Down Expand Up @@ -1022,7 +1022,7 @@ The resource selector list to filter policies by resource properties. Facilitate

### Parameter: `roleDefinitionIds`

The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.
The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.

- Required: No
- Type: array
Expand Down
2 changes: 1 addition & 1 deletion avm/ptn/authorization/policy-assignment/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -31,7 +31,7 @@ param identity string = 'SystemAssigned'
@sys.description('Optional. The Resource ID for the user assigned identity to assign to the policy assignment.')
param userAssignedIdentityId string = ''

@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
@sys.description('Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition.')
param roleDefinitionIds array = []

@sys.description('Optional. The policy assignment metadata. Metadata is an open ended object and is typically a collection of key-value pairs.')
Expand Down
18 changes: 9 additions & 9 deletions avm/ptn/authorization/policy-assignment/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -4,8 +4,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.28.1.47646",
"templateHash": "7409207305186624461"
"version": "0.29.47.4906",
"templateHash": "2876622926889063776"
},
"name": "Policy Assignments (All scopes)",
"description": "This module deploys a Policy Assignment at a Management Group, Subscription or Resource Group scope.",
Expand Down Expand Up @@ -69,7 +69,7 @@
"type": "array",
"defaultValue": [],
"metadata": {
"description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'.. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition."
"description": "Optional. The IDs Of the Azure Role Definition list that is used to assign permissions to the identity. You need to provide either the fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. See https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles for the list IDs for built-in Roles. They must match on what is on the policy definition."
}
},
"metadata": {
Expand Down Expand Up @@ -226,8 +226,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.28.1.47646",
"templateHash": "10754608594936413857"
"version": "0.29.47.4906",
"templateHash": "3257252324855693362"
},
"name": "Policy Assignments (Management Group scope)",
"description": "This module deploys a Policy Assignment at a Management Group scope.",
Expand Down Expand Up @@ -481,8 +481,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.28.1.47646",
"templateHash": "14066444680843928013"
"version": "0.29.47.4906",
"templateHash": "3684200367628760752"
},
"name": "Policy Assignments (Subscription scope)",
"description": "This module deploys a Policy Assignment at a Subscription scope.",
Expand Down Expand Up @@ -736,8 +736,8 @@
"metadata": {
"_generator": {
"name": "bicep",
"version": "0.28.1.47646",
"templateHash": "17693268287104969526"
"version": "0.29.47.4906",
"templateHash": "3879842459774615474"
},
"name": "Policy Assignments (Resource Group scope)",
"description": "This module deploys a Policy Assignment at a Resource Group scope.",
Expand Down
58 changes: 58 additions & 0 deletions avm/res/app/container-app/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -440,6 +440,13 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
environmentResourceId: '<environmentResourceId>'
name: 'acavnet001'
// Non-required parameters
additionalPortMappings: [
{
exposedPort: 8080
external: false
targetPort: 8080
}
]
ingressAllowInsecure: false
ingressExternal: false
ingressTargetPort: 80
Expand Down Expand Up @@ -481,6 +488,15 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
"value": "acavnet001"
},
// Non-required parameters
"additionalPortMappings": {
"value": [
{
"exposedPort": 8080,
"external": false,
"targetPort": 8080
}
]
},
"ingressAllowInsecure": {
"value": false
},
Expand Down Expand Up @@ -667,6 +683,7 @@ module containerApp 'br/public:avm/res/app/container-app:<version>' = {
| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`activeRevisionsMode`](#parameter-activerevisionsmode) | string | Controls how active revisions are handled for the Container app. |
| [`additionalPortMappings`](#parameter-additionalportmappings) | array | Settings to expose additional ports on container app. |
| [`clientCertificateMode`](#parameter-clientcertificatemode) | string | Client certificate mode for mTLS. |
| [`corsPolicy`](#parameter-corspolicy) | object | Object userd to configure CORS policy. |
| [`customDomains`](#parameter-customdomains) | array | Custom domain bindings for Container App hostnames. |
Expand Down Expand Up @@ -1070,6 +1087,47 @@ Controls how active revisions are handled for the Container app.
]
```

### Parameter: `additionalPortMappings`

Settings to expose additional ports on container app.

- Required: No
- Type: array

**Required parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`external`](#parameter-additionalportmappingsexternal) | bool | Specifies whether the app port is accessible outside of the environment. |
| [`targetPort`](#parameter-additionalportmappingstargetport) | int | Specifies the port the container listens on. |

**Optional parameters**

| Parameter | Type | Description |
| :-- | :-- | :-- |
| [`exposedPort`](#parameter-additionalportmappingsexposedport) | int | Specifies the exposed port for the target port. If not specified, it defaults to target port. |

### Parameter: `additionalPortMappings.external`

Specifies whether the app port is accessible outside of the environment.

- Required: Yes
- Type: bool

### Parameter: `additionalPortMappings.targetPort`

Specifies the port the container listens on.

- Required: Yes
- Type: int

### Parameter: `additionalPortMappings.exposedPort`

Specifies the exposed port for the target port. If not specified, it defaults to target port.

- Required: No
- Type: int

### Parameter: `clientCertificateMode`

Client certificate mode for mTLS.
Expand Down
15 changes: 15 additions & 0 deletions avm/res/app/container-app/main.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -47,6 +47,9 @@ param service object = {}
@description('Optional. Toggle to include the service configuration.')
param includeAddOns bool = false

@description('Optional. Settings to expose additional ports on container app.')
param additionalPortMappings ingressPortMapping[]?

@description('Optional. Bool indicating if HTTP connections to is allowed. If set to false HTTP connections are automatically redirected to HTTPS connections.')
param ingressAllowInsecure bool = true

Expand Down Expand Up @@ -217,6 +220,7 @@ resource containerApp 'Microsoft.App/containerApps@2024-03-01' = {
ingress: disableIngress
? null
: {
additionalPortMappings: additionalPortMappings
allowInsecure: ingressTransport != 'tcp' ? ingressAllowInsecure : false
customDomains: !empty(customDomains) ? customDomains : null
corsPolicy: corsPolicy != null && ingressTransport != 'tcp'
Expand Down Expand Up @@ -387,6 +391,17 @@ type container = {
volumeMounts: volumeMount[]?
}

type ingressPortMapping = {
@description('Optional. Specifies the exposed port for the target port. If not specified, it defaults to target port.')
exposedPort: int?

@description('Required. Specifies whether the app port is accessible outside of the environment.')
external: bool

@description('Required. Specifies the port the container listens on.')
targetPort: int
}

type serviceBind = {
@description('Required. The name of the service.')
name: string
Expand Down
38 changes: 36 additions & 2 deletions avm/res/app/container-app/main.json
Original file line number Diff line number Diff line change
Expand Up @@ -6,7 +6,7 @@
"_generator": {
"name": "bicep",
"version": "0.29.47.4906",
"templateHash": "16433987478692764186"
"templateHash": "7992196126209120702"
},
"name": "Container Apps",
"description": "This module deploys a Container App.",
Expand Down Expand Up @@ -208,6 +208,30 @@
}
}
},
"ingressPortMapping": {
"type": "object",
"properties": {
"exposedPort": {
"type": "int",
"nullable": true,
"metadata": {
"description": "Optional. Specifies the exposed port for the target port. If not specified, it defaults to target port."
}
},
"external": {
"type": "bool",
"metadata": {
"description": "Required. Specifies whether the app port is accessible outside of the environment."
}
},
"targetPort": {
"type": "int",
"metadata": {
"description": "Required. Specifies the port the container listens on."
}
}
}
},
"serviceBind": {
"type": "object",
"properties": {
Expand Down Expand Up @@ -584,6 +608,16 @@
"description": "Optional. Toggle to include the service configuration."
}
},
"additionalPortMappings": {
"type": "array",
"items": {
"$ref": "#/definitions/ingressPortMapping"
},
"nullable": true,
"metadata": {
"description": "Optional. Settings to expose additional ports on container app."
}
},
"ingressAllowInsecure": {
"type": "bool",
"defaultValue": true,
Expand Down Expand Up @@ -846,7 +880,7 @@
"configuration": {
"activeRevisionsMode": "[parameters('activeRevisionsMode')]",
"dapr": "[if(not(empty(parameters('dapr'))), parameters('dapr'), null())]",
"ingress": "[if(parameters('disableIngress'), null(), createObject('allowInsecure', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('ingressAllowInsecure'), false()), 'customDomains', if(not(empty(parameters('customDomains'))), parameters('customDomains'), null()), 'corsPolicy', if(and(not(equals(parameters('corsPolicy'), null())), not(equals(parameters('ingressTransport'), 'tcp'))), createObject('allowCredentials', coalesce(tryGet(parameters('corsPolicy'), 'allowCredentials'), false()), 'allowedHeaders', coalesce(tryGet(parameters('corsPolicy'), 'allowedHeaders'), createArray()), 'allowedMethods', coalesce(tryGet(parameters('corsPolicy'), 'allowedMethods'), createArray()), 'allowedOrigins', coalesce(tryGet(parameters('corsPolicy'), 'allowedOrigins'), createArray()), 'exposeHeaders', coalesce(tryGet(parameters('corsPolicy'), 'exposeHeaders'), createArray()), 'maxAge', tryGet(parameters('corsPolicy'), 'maxAge')), null()), 'clientCertificateMode', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('clientCertificateMode'), null()), 'exposedPort', parameters('exposedPort'), 'external', parameters('ingressExternal'), 'ipSecurityRestrictions', if(not(empty(parameters('ipSecurityRestrictions'))), parameters('ipSecurityRestrictions'), null()), 'targetPort', parameters('ingressTargetPort'), 'stickySessions', createObject('affinity', parameters('stickySessionsAffinity')), 'traffic', if(not(equals(parameters('ingressTransport'), 'tcp')), createArray(createObject('label', parameters('trafficLabel'), 'latestRevision', parameters('trafficLatestRevision'), 'revisionName', parameters('trafficRevisionName'), 'weight', parameters('trafficWeight'))), null()), 'transport', parameters('ingressTransport')))]",
"ingress": "[if(parameters('disableIngress'), null(), createObject('additionalPortMappings', parameters('additionalPortMappings'), 'allowInsecure', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('ingressAllowInsecure'), false()), 'customDomains', if(not(empty(parameters('customDomains'))), parameters('customDomains'), null()), 'corsPolicy', if(and(not(equals(parameters('corsPolicy'), null())), not(equals(parameters('ingressTransport'), 'tcp'))), createObject('allowCredentials', coalesce(tryGet(parameters('corsPolicy'), 'allowCredentials'), false()), 'allowedHeaders', coalesce(tryGet(parameters('corsPolicy'), 'allowedHeaders'), createArray()), 'allowedMethods', coalesce(tryGet(parameters('corsPolicy'), 'allowedMethods'), createArray()), 'allowedOrigins', coalesce(tryGet(parameters('corsPolicy'), 'allowedOrigins'), createArray()), 'exposeHeaders', coalesce(tryGet(parameters('corsPolicy'), 'exposeHeaders'), createArray()), 'maxAge', tryGet(parameters('corsPolicy'), 'maxAge')), null()), 'clientCertificateMode', if(not(equals(parameters('ingressTransport'), 'tcp')), parameters('clientCertificateMode'), null()), 'exposedPort', parameters('exposedPort'), 'external', parameters('ingressExternal'), 'ipSecurityRestrictions', if(not(empty(parameters('ipSecurityRestrictions'))), parameters('ipSecurityRestrictions'), null()), 'targetPort', parameters('ingressTargetPort'), 'stickySessions', createObject('affinity', parameters('stickySessionsAffinity')), 'traffic', if(not(equals(parameters('ingressTransport'), 'tcp')), createArray(createObject('label', parameters('trafficLabel'), 'latestRevision', parameters('trafficLatestRevision'), 'revisionName', parameters('trafficRevisionName'), 'weight', parameters('trafficWeight'))), null()), 'transport', parameters('ingressTransport')))]",
"service": "[if(and(parameters('includeAddOns'), not(empty(parameters('service')))), parameters('service'), null())]",
"maxInactiveRevisions": "[parameters('maxInactiveRevisions')]",
"registries": "[if(not(empty(parameters('registries'))), parameters('registries'), null())]",
Expand Down
8 changes: 8 additions & 0 deletions avm/res/app/container-app/tests/e2e/vnet/main.test.bicep
Original file line number Diff line number Diff line change
Expand Up @@ -57,6 +57,14 @@ module testDeployment '../../../main.bicep' = [
ingressTransport: 'tcp'
ingressAllowInsecure: false
ingressTargetPort: 80
additionalPortMappings: [
{
external: false
targetPort: 8080
exposedPort: 8080
}
]

containers: [
{
name: 'simple-hello-world-container'
Expand Down
2 changes: 1 addition & 1 deletion avm/res/app/container-app/version.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"$schema": "https://aka.ms/bicep-registry-module-version-file-schema#",
"version": "0.9",
"version": "0.10",
"pathFilters": [
"./main.json"
]
Expand Down
Loading

0 comments on commit b524163

Please sign in to comment.