From 937f1c0ac333118cf3b7e8639c16c56b9a3d3aa3 Mon Sep 17 00:00:00 2001 From: Alexander Sehr Date: Thu, 12 Dec 2024 16:42:11 +0100 Subject: [PATCH] feat: Updated Storage-Account CMK Implementation (#3853) ## Description - Updated Storage-Account CMK Implementation - Implemented AVM-Common-Types Linked to - Update CMK implementations as per https://github.com/Azure/bicep-registry-modules/issues/2842#issuecomment-2423679879 - Docs Update: https://github.com/Azure/Azure-Verified-Modules/pull/1683 - UDT update: https://github.com/Azure/bicep-registry-modules/pull/3724 ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.storage.storage-account](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml/badge.svg?branch=users%2Falsehr%2FcmkUpdateStorageAccount&event=workflow_dispatch)](https://github.com/AlexanderSehr/bicep-registry-modules/actions/workflows/avm.res.storage.storage-account.yml) | ## Type of Change - [ ] Update to CI Environment or utilities (Non-module affecting changes) - [x] Azure Verified Module updates: - [ ] Bugfix containing backwards-compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation --- avm/res/storage/storage-account/README.md | 13 +- .../storage-account/blob-service/README.md | 2 +- .../blob-service/container/README.md | 2 +- .../container/immutability-policy/main.json | 4 +- .../blob-service/container/main.bicep | 2 +- .../blob-service/container/main.json | 10 +- .../storage-account/blob-service/main.bicep | 2 +- .../storage-account/blob-service/main.json | 16 +- .../storage-account/file-service/README.md | 2 +- .../storage-account/file-service/main.bicep | 2 +- .../storage-account/file-service/main.json | 16 +- .../file-service/share/README.md | 2 +- .../file-service/share/main.bicep | 2 +- .../file-service/share/main.json | 10 +- .../storage-account/local-user/main.json | 4 +- avm/res/storage/storage-account/main.bicep | 22 ++- avm/res/storage/storage-account/main.json | 172 +++++++++--------- .../management-policy/main.json | 4 +- .../storage-account/queue-service/main.json | 8 +- .../queue-service/queue/main.json | 4 +- .../storage-account/table-service/main.json | 8 +- .../table-service/table/main.json | 4 +- avm/res/storage/storage-account/version.json | 2 +- 23 files changed, 166 insertions(+), 147 deletions(-) diff --git a/avm/res/storage/storage-account/README.md b/avm/res/storage/storage-account/README.md index 607e1004b9..bf133494b5 100644 --- a/avm/res/storage/storage-account/README.md +++ b/avm/res/storage/storage-account/README.md @@ -3306,7 +3306,8 @@ The customer managed key definition. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`autoRotationEnabled`](#parameter-customermanagedkeyautorotationenabled) | bool | Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used. | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting. | | [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | ### Parameter: `customerManagedKey.keyName` @@ -3323,9 +3324,16 @@ The resource ID of a key vault to reference a customer managed key for encryptio - Required: Yes - Type: string +### Parameter: `customerManagedKey.autoRotationEnabled` + +Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used. + +- Required: No +- Type: bool + ### Parameter: `customerManagedKey.keyVersion` -The version of the customer managed key to reference for encryption. If not provided, using 'latest'. +The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting. - Required: No - Type: string @@ -4485,6 +4493,7 @@ This section gives you an overview of all local-referenced module files (i.e., o | :-- | :-- | | `br/public:avm/res/network/private-endpoint:0.7.1` | Remote reference | | `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | ## Notes diff --git a/avm/res/storage/storage-account/blob-service/README.md b/avm/res/storage/storage-account/blob-service/README.md index 464c506615..abbfb2f927 100644 --- a/avm/res/storage/storage-account/blob-service/README.md +++ b/avm/res/storage/storage-account/blob-service/README.md @@ -341,4 +341,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | diff --git a/avm/res/storage/storage-account/blob-service/container/README.md b/avm/res/storage/storage-account/blob-service/container/README.md index f90db350e2..c4a3f2d8a9 100644 --- a/avm/res/storage/storage-account/blob-service/container/README.md +++ b/avm/res/storage/storage-account/blob-service/container/README.md @@ -273,4 +273,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | diff --git a/avm/res/storage/storage-account/blob-service/container/immutability-policy/main.json b/avm/res/storage/storage-account/blob-service/container/immutability-policy/main.json index 1a92a67f27..f5566a6be2 100644 --- a/avm/res/storage/storage-account/blob-service/container/immutability-policy/main.json +++ b/avm/res/storage/storage-account/blob-service/container/immutability-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17642721918788484059" + "version": "0.31.92.45157", + "templateHash": "377117240673904242" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/avm/res/storage/storage-account/blob-service/container/main.bicep b/avm/res/storage/storage-account/blob-service/container/main.bicep index 78e7133d90..793bfec8d5 100644 --- a/avm/res/storage/storage-account/blob-service/container/main.bicep +++ b/avm/res/storage/storage-account/blob-service/container/main.bicep @@ -44,7 +44,7 @@ param metadata object = {} @description('Optional. Specifies whether data in the container may be accessed publicly and the level of access.') param publicAccess string = 'None' -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? diff --git a/avm/res/storage/storage-account/blob-service/container/main.json b/avm/res/storage/storage-account/blob-service/container/main.json index 46555744ca..49933a8a5e 100644 --- a/avm/res/storage/storage-account/blob-service/container/main.json +++ b/avm/res/storage/storage-account/blob-service/container/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "2340678191837281561" + "version": "0.31.92.45157", + "templateHash": "13866122608356514480" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -84,7 +84,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -301,8 +301,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17642721918788484059" + "version": "0.31.92.45157", + "templateHash": "377117240673904242" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/avm/res/storage/storage-account/blob-service/main.bicep b/avm/res/storage/storage-account/blob-service/main.bicep index 29ea2c950e..ac40903859 100644 --- a/avm/res/storage/storage-account/blob-service/main.bicep +++ b/avm/res/storage/storage-account/blob-service/main.bicep @@ -61,7 +61,7 @@ param restorePolicyDays int = 6 @description('Optional. Blob containers to create.') param containers array? -import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingFullType[]? diff --git a/avm/res/storage/storage-account/blob-service/main.json b/avm/res/storage/storage-account/blob-service/main.json index 6bd0d12cc4..36977044b5 100644 --- a/avm/res/storage/storage-account/blob-service/main.json +++ b/avm/res/storage/storage-account/blob-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "12420339026638684809" + "version": "0.31.92.45157", + "templateHash": "13498928590492156888" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -131,7 +131,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -412,8 +412,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "2340678191837281561" + "version": "0.31.92.45157", + "templateHash": "13866122608356514480" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -491,7 +491,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -708,8 +708,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17642721918788484059" + "version": "0.31.92.45157", + "templateHash": "377117240673904242" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", diff --git a/avm/res/storage/storage-account/file-service/README.md b/avm/res/storage/storage-account/file-service/README.md index 3321ebe9ed..e875b04210 100644 --- a/avm/res/storage/storage-account/file-service/README.md +++ b/avm/res/storage/storage-account/file-service/README.md @@ -239,4 +239,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | diff --git a/avm/res/storage/storage-account/file-service/main.bicep b/avm/res/storage/storage-account/file-service/main.bicep index 0fcd8ad218..e768491045 100644 --- a/avm/res/storage/storage-account/file-service/main.bicep +++ b/avm/res/storage/storage-account/file-service/main.bicep @@ -18,7 +18,7 @@ param shareDeleteRetentionPolicy object = { days: 7 } -import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingFullType[]? diff --git a/avm/res/storage/storage-account/file-service/main.json b/avm/res/storage/storage-account/file-service/main.json index fcf7489137..52ae62a8dd 100644 --- a/avm/res/storage/storage-account/file-service/main.json +++ b/avm/res/storage/storage-account/file-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11334292387756483860" + "version": "0.31.92.45157", + "templateHash": "652717210213575792" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -131,7 +131,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -292,8 +292,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6729752654389555660" + "version": "0.31.92.45157", + "templateHash": "647440482037193710" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -371,7 +371,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -505,8 +505,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11498628270290452072" + "version": "0.31.92.45157", + "templateHash": "9505259635631318962" } }, "parameters": { diff --git a/avm/res/storage/storage-account/file-service/share/README.md b/avm/res/storage/storage-account/file-service/share/README.md index ea95552ebd..a8f922d6be 100644 --- a/avm/res/storage/storage-account/file-service/share/README.md +++ b/avm/res/storage/storage-account/file-service/share/README.md @@ -229,4 +229,4 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/utl/types/avm-common-types:0.2.1` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.0` | Remote reference | diff --git a/avm/res/storage/storage-account/file-service/share/main.bicep b/avm/res/storage/storage-account/file-service/share/main.bicep index cfcdfcd9c8..0aa96876d4 100644 --- a/avm/res/storage/storage-account/file-service/share/main.bicep +++ b/avm/res/storage/storage-account/file-service/share/main.bicep @@ -39,7 +39,7 @@ param enabledProtocols string = 'SMB' @description('Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares.') param rootSquash string = 'NoRootSquash' -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? diff --git a/avm/res/storage/storage-account/file-service/share/main.json b/avm/res/storage/storage-account/file-service/share/main.json index 9e09ac6d64..3c19d320cb 100644 --- a/avm/res/storage/storage-account/file-service/share/main.json +++ b/avm/res/storage/storage-account/file-service/share/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6729752654389555660" + "version": "0.31.92.45157", + "templateHash": "647440482037193710" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -84,7 +84,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -218,8 +218,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11498628270290452072" + "version": "0.31.92.45157", + "templateHash": "9505259635631318962" } }, "parameters": { diff --git a/avm/res/storage/storage-account/local-user/main.json b/avm/res/storage/storage-account/local-user/main.json index d607b2b771..7c9a47658a 100644 --- a/avm/res/storage/storage-account/local-user/main.json +++ b/avm/res/storage/storage-account/local-user/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4771770611168248415" + "version": "0.31.92.45157", + "templateHash": "13871524692494146314" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", diff --git a/avm/res/storage/storage-account/main.bicep b/avm/res/storage/storage-account/main.bicep index 9dfc1ca705..9606338046 100644 --- a/avm/res/storage/storage-account/main.bicep +++ b/avm/res/storage/storage-account/main.bicep @@ -9,11 +9,11 @@ param name string @description('Optional. Location for all resources.') param location string = resourceGroup().location -import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType[]? -import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The managed identity definition for this resource.') param managedIdentities managedIdentityAllType? @@ -64,7 +64,7 @@ param defaultToOAuthAuthentication bool = false @description('Optional. Indicates whether the storage account permits requests to be authorized with the account access key via Shared Key. If false, then all requests, including shared access signatures, must be authorized with Azure Active Directory (Azure AD). The default value is null, which is equivalent to true.') param allowSharedKeyAccess bool = true -import { privateEndpointMultiServiceType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { privateEndpointMultiServiceType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') param privateEndpoints privateEndpointMultiServiceType[]? @@ -138,11 +138,11 @@ param isLocalUserEnabled bool = false @description('Optional. If true, enables NFS 3.0 support for the storage account. Requires enableHierarchicalNamespace to be true.') param enableNfsV3 bool = false -import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The diagnostic settings of the service.') param diagnosticSettings diagnosticSettingFullType[]? -import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The lock settings of the service.') param lock lockType? @@ -171,9 +171,9 @@ param publicNetworkAccess string = '' @description('Optional. Allows HTTPS traffic only to storage service if sets to true.') param supportsHttpsTrafficOnly bool = true -import { customerManagedKeyType } from 'br/public:avm/utl/types/avm-common-types:0.2.1' +import { customerManagedKeyWithAutoRotateType } from 'br/public:avm/utl/types/avm-common-types:0.4.0' @description('Optional. The customer managed key definition.') -param customerManagedKey customerManagedKeyType? +param customerManagedKey customerManagedKeyWithAutoRotateType? @description('Optional. The SAS expiration period. DD.HH:MM:SS.') param sasExpirationPeriod string = '' @@ -393,9 +393,11 @@ resource storageAccount 'Microsoft.Storage/storageAccounts@2023-05-01' = { ? { keyname: customerManagedKey!.keyName keyvaulturi: cMKKeyVault.properties.vaultUri - keyversion: !empty(customerManagedKey.?keyVersion ?? '') + keyversion: !empty(customerManagedKey.?keyVersion) ? customerManagedKey!.keyVersion - : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) + : (customerManagedKey.?autoRotationEnabled ?? true) + ? null + : last(split(cMKKeyVault::cMKKey.properties.keyUriWithVersion, '/')) } : null identity: { @@ -696,7 +698,7 @@ output primaryBlobEndpoint string = !empty(blobServices) && contains(blobService : '' @description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = storageAccount.?identity.?principalId ?? '' +output systemAssignedMIPrincipalId string? = storageAccount.?identity.?principalId @description('The location the resource was deployed into.') output location string = storageAccount.location diff --git a/avm/res/storage/storage-account/main.json b/avm/res/storage/storage-account/main.json index 0b9ea0bd04..226ead349d 100644 --- a/avm/res/storage/storage-account/main.json +++ b/avm/res/storage/storage-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4420850353095628584" + "version": "0.31.92.45157", + "templateHash": "16204410426980964213" }, "name": "Storage Accounts", "description": "This module deploys a Storage Account.", @@ -129,7 +129,36 @@ "__bicep_export!": true } }, - "_1.privateEndpointCustomDnsConfigType": { + "_1.secretSetOutputType": { + "type": "object", + "properties": { + "secretResourceId": { + "type": "string", + "metadata": { + "description": "The resourceId of the exported secret." + } + }, + "secretUri": { + "type": "string", + "metadata": { + "description": "The secret URI of the exported secret." + } + }, + "secretUriWithVersion": { + "type": "string", + "metadata": { + "description": "The secret URI with version of the exported secret." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for the output of the secret set via the secrets export feature.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + } + } + }, + "_2.privateEndpointCustomDnsConfigType": { "type": "object", "properties": { "fqdn": { @@ -151,11 +180,11 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, - "_1.privateEndpointIpConfigurationType": { + "_2.privateEndpointIpConfigurationType": { "type": "object", "properties": { "name": { @@ -193,11 +222,11 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, - "_1.privateEndpointPrivateDnsZoneGroupType": { + "_2.privateEndpointPrivateDnsZoneGroupType": { "type": "object", "properties": { "name": { @@ -234,40 +263,11 @@ }, "metadata": { "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, - "_1.secretSetOutputType": { - "type": "object", - "properties": { - "secretResourceId": { - "type": "string", - "metadata": { - "description": "The resourceId of the exported secret." - } - }, - "secretUri": { - "type": "string", - "metadata": { - "description": "The secret URI of the exported secret." - } - }, - "secretUriWithVersion": { - "type": "string", - "metadata": { - "description": "The secret URI with version of the exported secret." - } - } - }, - "metadata": { - "description": "An AVM-aligned type for the output of the secret set via the secrets export feature.", - "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" - } - } - }, - "customerManagedKeyType": { + "customerManagedKeyWithAutoRotateType": { "type": "object", "properties": { "keyVaultResourceId": { @@ -286,7 +286,14 @@ "type": "string", "nullable": true, "metadata": { - "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using version as per 'autoRotationEnabled' setting." + } + }, + "autoRotationEnabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable auto-rotating to the latest key version. Default is `true`. If set to `false`, the latest key version at the time of the deployment is used." } }, "userAssignedIdentityResourceId": { @@ -298,9 +305,9 @@ } }, "metadata": { - "description": "An AVM-aligned type for a customer-managed key.", + "description": "An AVM-aligned type for a customer-managed key. To be used if the resource type supports auto-rotation of the customer-managed key.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -422,7 +429,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -452,7 +459,7 @@ "metadata": { "description": "An AVM-aligned type for a lock.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -480,7 +487,7 @@ "metadata": { "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -521,7 +528,7 @@ } }, "privateDnsZoneGroup": { - "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", + "$ref": "#/definitions/_2.privateEndpointPrivateDnsZoneGroupType", "nullable": true, "metadata": { "description": "Optional. The private DNS zone group to configure for the private endpoint." @@ -545,7 +552,7 @@ "customDnsConfigs": { "type": "array", "items": { - "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" + "$ref": "#/definitions/_2.privateEndpointCustomDnsConfigType" }, "nullable": true, "metadata": { @@ -555,7 +562,7 @@ "ipConfigurations": { "type": "array", "items": { - "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" + "$ref": "#/definitions/_2.privateEndpointIpConfigurationType" }, "nullable": true, "metadata": { @@ -621,7 +628,7 @@ "metadata": { "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can NOT be assumed (i.e., for services that have more than one subresource, like Storage Account with Blob (blob, table, queue, file, ...).", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -696,7 +703,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } }, @@ -1032,7 +1039,7 @@ } }, "customerManagedKey": { - "$ref": "#/definitions/customerManagedKeyType", + "$ref": "#/definitions/customerManagedKeyWithAutoRotateType", "nullable": true, "metadata": { "description": "Optional. The customer managed key definition." @@ -1176,7 +1183,7 @@ }, "dnsEndpointType": "[if(not(empty(parameters('dnsEndpointType'))), parameters('dnsEndpointType'), null())]", "isLocalUserEnabled": "[parameters('isLocalUserEnabled')]", - "encryption": "[union(createObject('keySource', if(not(empty(parameters('customerManagedKey'))), 'Microsoft.Keyvault', 'Microsoft.Storage'), 'services', createObject('blob', if(variables('supportsBlobService'), createObject('enabled', true()), null()), 'file', if(variables('supportsFileService'), createObject('enabled', true()), null()), 'table', createObject('enabled', true(), 'keyType', parameters('keyType')), 'queue', createObject('enabled', true(), 'keyType', parameters('keyType'))), 'keyvaultproperties', if(not(empty(parameters('customerManagedKey'))), createObject('keyname', parameters('customerManagedKey').keyName, 'keyvaulturi', reference('cMKKeyVault').vaultUri, 'keyversion', if(not(empty(coalesce(tryGet(parameters('customerManagedKey'), 'keyVersion'), ''))), parameters('customerManagedKey').keyVersion, last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/')))), null()), 'identity', createObject('userAssignedIdentity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()))), if(parameters('requireInfrastructureEncryption'), createObject('requireInfrastructureEncryption', if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())), createObject()))]", + "encryption": "[union(createObject('keySource', if(not(empty(parameters('customerManagedKey'))), 'Microsoft.Keyvault', 'Microsoft.Storage'), 'services', createObject('blob', if(variables('supportsBlobService'), createObject('enabled', true()), null()), 'file', if(variables('supportsFileService'), createObject('enabled', true()), null()), 'table', createObject('enabled', true(), 'keyType', parameters('keyType')), 'queue', createObject('enabled', true(), 'keyType', parameters('keyType'))), 'keyvaultproperties', if(not(empty(parameters('customerManagedKey'))), createObject('keyname', parameters('customerManagedKey').keyName, 'keyvaulturi', reference('cMKKeyVault').vaultUri, 'keyversion', if(not(empty(tryGet(parameters('customerManagedKey'), 'keyVersion'))), parameters('customerManagedKey').keyVersion, if(coalesce(tryGet(parameters('customerManagedKey'), 'autoRotationEnabled'), true()), null(), last(split(reference('cMKKeyVault::cMKKey').keyUriWithVersion, '/'))))), null()), 'identity', createObject('userAssignedIdentity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))), null()))), if(parameters('requireInfrastructureEncryption'), createObject('requireInfrastructureEncryption', if(not(equals(parameters('kind'), 'Storage')), parameters('requireInfrastructureEncryption'), null())), createObject()))]", "accessTier": "[if(and(not(equals(parameters('kind'), 'Storage')), not(equals(parameters('kind'), 'BlockBlobStorage'))), parameters('accessTier'), null())]", "sasPolicy": "[if(not(empty(parameters('sasExpirationPeriod'))), createObject('expirationAction', 'Log', 'sasExpirationPeriod', parameters('sasExpirationPeriod')), null())]", "supportsHttpsTrafficOnly": "[parameters('supportsHttpsTrafficOnly')]", @@ -2053,8 +2060,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "16749766572958481061" + "version": "0.31.92.45157", + "templateHash": "4758818286358106448" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", @@ -2163,8 +2170,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "4771770611168248415" + "version": "0.31.92.45157", + "templateHash": "13871524692494146314" }, "name": "Storage Account Local Users", "description": "This module deploys a Storage Account Local User, which is used for SFTP authentication.", @@ -2381,8 +2388,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "12420339026638684809" + "version": "0.31.92.45157", + "templateHash": "13498928590492156888" }, "name": "Storage Account blob Services", "description": "This module deploys a Storage Account Blob Service.", @@ -2507,7 +2514,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -2788,8 +2795,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "2340678191837281561" + "version": "0.31.92.45157", + "templateHash": "13866122608356514480" }, "name": "Storage Account Blob Containers", "description": "This module deploys a Storage Account Blob Container.", @@ -2867,7 +2874,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -3084,8 +3091,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17642721918788484059" + "version": "0.31.92.45157", + "templateHash": "377117240673904242" }, "name": "Storage Account Blob Container Immutability Policies", "description": "This module deploys a Storage Account Blob Container Immutability Policy.", @@ -3264,8 +3271,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11334292387756483860" + "version": "0.31.92.45157", + "templateHash": "652717210213575792" }, "name": "Storage Account File Share Services", "description": "This module deploys a Storage Account File Share Service.", @@ -3390,7 +3397,7 @@ "metadata": { "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -3551,8 +3558,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "6729752654389555660" + "version": "0.31.92.45157", + "templateHash": "647440482037193710" }, "name": "Storage Account File Shares", "description": "This module deploys a Storage Account File Share.", @@ -3630,7 +3637,7 @@ "metadata": { "description": "An AVM-aligned type for a role assignment.", "__bicep_imported_from!": { - "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.0" } } } @@ -3764,8 +3771,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "11498628270290452072" + "version": "0.31.92.45157", + "templateHash": "9505259635631318962" } }, "parameters": { @@ -4040,8 +4047,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "8427226755569651235" + "version": "0.31.92.45157", + "templateHash": "7019230822337955866" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -4291,8 +4298,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17434851913053254324" + "version": "0.31.92.45157", + "templateHash": "15204094799418239872" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", @@ -4568,8 +4575,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "8854918982965924242" + "version": "0.31.92.45157", + "templateHash": "3872868238795839712" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -4816,8 +4823,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "14487041808457984428" + "version": "0.31.92.45157", + "templateHash": "443267280546424371" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", @@ -5080,8 +5087,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "13337765828606873307" + "version": "0.31.92.45157", + "templateHash": "11923198665150594620" } }, "definitions": { @@ -5235,10 +5242,11 @@ }, "systemAssignedMIPrincipalId": { "type": "string", + "nullable": true, "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[coalesce(tryGet(tryGet(reference('storageAccount', '2023-05-01', 'full'), 'identity'), 'principalId'), '')]" + "value": "[tryGet(tryGet(reference('storageAccount', '2023-05-01', 'full'), 'identity'), 'principalId')]" }, "location": { "type": "string", diff --git a/avm/res/storage/storage-account/management-policy/main.json b/avm/res/storage/storage-account/management-policy/main.json index 6acd0abce6..44ae8478b6 100644 --- a/avm/res/storage/storage-account/management-policy/main.json +++ b/avm/res/storage/storage-account/management-policy/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "16749766572958481061" + "version": "0.31.92.45157", + "templateHash": "4758818286358106448" }, "name": "Storage Account Management Policies", "description": "This module deploys a Storage Account Management Policy.", diff --git a/avm/res/storage/storage-account/queue-service/main.json b/avm/res/storage/storage-account/queue-service/main.json index 557dc74aa0..ee041706b4 100644 --- a/avm/res/storage/storage-account/queue-service/main.json +++ b/avm/res/storage/storage-account/queue-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "8427226755569651235" + "version": "0.31.92.45157", + "templateHash": "7019230822337955866" }, "name": "Storage Account Queue Services", "description": "This module deploys a Storage Account Queue Service.", @@ -256,8 +256,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17434851913053254324" + "version": "0.31.92.45157", + "templateHash": "15204094799418239872" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/avm/res/storage/storage-account/queue-service/queue/main.json b/avm/res/storage/storage-account/queue-service/queue/main.json index a3f4c271ec..cea9977925 100644 --- a/avm/res/storage/storage-account/queue-service/queue/main.json +++ b/avm/res/storage/storage-account/queue-service/queue/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "17434851913053254324" + "version": "0.31.92.45157", + "templateHash": "15204094799418239872" }, "name": "Storage Account Queues", "description": "This module deploys a Storage Account Queue.", diff --git a/avm/res/storage/storage-account/table-service/main.json b/avm/res/storage/storage-account/table-service/main.json index 1e7afc9986..005638be20 100644 --- a/avm/res/storage/storage-account/table-service/main.json +++ b/avm/res/storage/storage-account/table-service/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "8854918982965924242" + "version": "0.31.92.45157", + "templateHash": "3872868238795839712" }, "name": "Storage Account Table Services", "description": "This module deploys a Storage Account Table Service.", @@ -253,8 +253,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "14487041808457984428" + "version": "0.31.92.45157", + "templateHash": "443267280546424371" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/avm/res/storage/storage-account/table-service/table/main.json b/avm/res/storage/storage-account/table-service/table/main.json index 7b2fe4c3e4..c6e002440b 100644 --- a/avm/res/storage/storage-account/table-service/table/main.json +++ b/avm/res/storage/storage-account/table-service/table/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.30.23.60470", - "templateHash": "14487041808457984428" + "version": "0.31.92.45157", + "templateHash": "443267280546424371" }, "name": "Storage Account Table", "description": "This module deploys a Storage Account Table.", diff --git a/avm/res/storage/storage-account/version.json b/avm/res/storage/storage-account/version.json index 35d09f6dbf..7d87cc7c01 100644 --- a/avm/res/storage/storage-account/version.json +++ b/avm/res/storage/storage-account/version.json @@ -1,6 +1,6 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.14", + "version": "0.15", "pathFilters": [ "./main.json" ]