forked from Azure/bicep-registry-modules
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
9 changed files
with
1,042 additions
and
0 deletions.
There are no files selected for viewing
Large diffs are not rendered by default.
Oops, something went wrong.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,125 @@ | ||
| metadata name = 'DDoS Protection Plans' | ||
| metadata description = 'This module deploys a DDoS Protection Plan.' | ||
| metadata owner = 'Azure/module-maintainers' | ||
|
|
||
| @description('Required. Name of the DDoS protection plan to assign the VNET to.') | ||
| @minLength(1) | ||
| param name string | ||
|
|
||
| @description('Optional. Location for all resources.') | ||
| param location string = resourceGroup().location | ||
|
|
||
| @description('Optional. The lock settings of the service.') | ||
| param lock lockType | ||
|
|
||
| @description('Optional. Array of role assignments to create.') | ||
| param roleAssignments roleAssignmentType | ||
|
|
||
| @description('Optional. Tags of the resource.') | ||
| param tags object? | ||
|
|
||
| @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') | ||
| param enableTelemetry bool = true | ||
|
|
||
| var builtInRoleNames = { | ||
| Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') | ||
| Owner: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635') | ||
| Reader: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') | ||
| 'Role Based Access Control Administrator (Preview)': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168') | ||
| 'User Access Administrator': subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9') | ||
| } | ||
|
|
||
| resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { | ||
| name: '46d3xbcp.res.network-ddosprotectionplan.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' | ||
| properties: { | ||
| mode: 'Incremental' | ||
| template: { | ||
| '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' | ||
| contentVersion: '1.0.0.0' | ||
| resources: [] | ||
| outputs: { | ||
| telemetry: { | ||
| type: 'String' | ||
| value: 'For more information, see https://aka.ms/avm/TelemetryInfo' | ||
| } | ||
| } | ||
| } | ||
| } | ||
| } | ||
|
|
||
| resource ddosProtectionPlan 'Microsoft.Network/ddosProtectionPlans@2023-04-01' = { | ||
| name: name | ||
| location: location | ||
| tags: tags | ||
| properties: {} | ||
| } | ||
|
|
||
| resource ddosProtectionPlan_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { | ||
| name: lock.?name ?? 'lock-${name}' | ||
| properties: { | ||
| level: lock.?kind ?? '' | ||
| notes: lock.?kind == 'CanNotDelete' ? 'Cannot delete resource or child resources.' : 'Cannot delete or modify the resource or child resources.' | ||
| } | ||
| scope: ddosProtectionPlan | ||
| } | ||
|
|
||
| resource ddosProtectionPlan_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [for (roleAssignment, index) in (roleAssignments ?? []): { | ||
| name: guid(ddosProtectionPlan.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) | ||
| properties: { | ||
| roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') ? roleAssignment.roleDefinitionIdOrName : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) | ||
| principalId: roleAssignment.principalId | ||
| description: roleAssignment.?description | ||
| principalType: roleAssignment.?principalType | ||
| condition: roleAssignment.?condition | ||
| conditionVersion: !empty(roleAssignment.?condition) ? (roleAssignment.?conditionVersion ?? '2.0') : null // Must only be set if condtion is set | ||
| delegatedManagedIdentityResourceId: roleAssignment.?delegatedManagedIdentityResourceId | ||
| } | ||
| scope: ddosProtectionPlan | ||
| }] | ||
|
|
||
| @description('The resource group the DDOS protection plan was deployed into.') | ||
| output resourceGroupName string = resourceGroup().name | ||
|
|
||
| @description('The resource ID of the DDOS protection plan.') | ||
| output resourceId string = ddosProtectionPlan.id | ||
|
|
||
| @description('The name of the DDOS protection plan.') | ||
| output name string = ddosProtectionPlan.name | ||
|
|
||
| @description('The location the resource was deployed into.') | ||
| output location string = ddosProtectionPlan.location | ||
|
|
||
| // =============== // | ||
| // Definitions // | ||
| // =============== // | ||
|
|
||
| type lockType = { | ||
| @description('Optional. Specify the name of lock.') | ||
| name: string? | ||
|
|
||
| @description('Optional. Specify the type of lock.') | ||
| kind: ('CanNotDelete' | 'ReadOnly' | 'None')? | ||
| }? | ||
|
|
||
| type roleAssignmentType = { | ||
| @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') | ||
| roleDefinitionIdOrName: string | ||
|
|
||
| @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') | ||
| principalId: string | ||
|
|
||
| @description('Optional. The principal type of the assigned principal ID.') | ||
| principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? | ||
|
|
||
| @description('Optional. The description of the role assignment.') | ||
| description: string? | ||
|
|
||
| @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container"') | ||
| condition: string? | ||
|
|
||
| @description('Optional. Version of the condition.') | ||
| conditionVersion: '2.0'? | ||
|
|
||
| @description('Optional. The Resource Id of the delegated managed identity resource.') | ||
| delegatedManagedIdentityResourceId: string? | ||
| }[]? |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,255 @@ | ||
| { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "languageVersion": "2.0", | ||
| "contentVersion": "1.0.0.0", | ||
| "metadata": { | ||
| "_generator": { | ||
| "name": "bicep", | ||
| "version": "0.23.1.45101", | ||
| "templateHash": "5871431232635632989" | ||
| }, | ||
| "name": "DDoS Protection Plans", | ||
| "description": "This module deploys a DDoS Protection Plan.", | ||
| "owner": "Azure/module-maintainers" | ||
| }, | ||
| "definitions": { | ||
| "lockType": { | ||
| "type": "object", | ||
| "properties": { | ||
| "name": { | ||
| "type": "string", | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. Specify the name of lock." | ||
| } | ||
| }, | ||
| "kind": { | ||
| "type": "string", | ||
| "allowedValues": [ | ||
| "CanNotDelete", | ||
| "None", | ||
| "ReadOnly" | ||
| ], | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. Specify the type of lock." | ||
| } | ||
| } | ||
| }, | ||
| "nullable": true | ||
| }, | ||
| "roleAssignmentType": { | ||
| "type": "array", | ||
| "items": { | ||
| "type": "object", | ||
| "properties": { | ||
| "roleDefinitionIdOrName": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." | ||
| } | ||
| }, | ||
| "principalId": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." | ||
| } | ||
| }, | ||
| "principalType": { | ||
| "type": "string", | ||
| "allowedValues": [ | ||
| "Device", | ||
| "ForeignGroup", | ||
| "Group", | ||
| "ServicePrincipal", | ||
| "User" | ||
| ], | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. The principal type of the assigned principal ID." | ||
| } | ||
| }, | ||
| "description": { | ||
| "type": "string", | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. The description of the role assignment." | ||
| } | ||
| }, | ||
| "condition": { | ||
| "type": "string", | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"" | ||
| } | ||
| }, | ||
| "conditionVersion": { | ||
| "type": "string", | ||
| "allowedValues": [ | ||
| "2.0" | ||
| ], | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. Version of the condition." | ||
| } | ||
| }, | ||
| "delegatedManagedIdentityResourceId": { | ||
| "type": "string", | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. The Resource Id of the delegated managed identity resource." | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "nullable": true | ||
| } | ||
| }, | ||
| "parameters": { | ||
| "name": { | ||
| "type": "string", | ||
| "minLength": 1, | ||
| "metadata": { | ||
| "description": "Required. Name of the DDoS protection plan to assign the VNET to." | ||
| } | ||
| }, | ||
| "location": { | ||
| "type": "string", | ||
| "defaultValue": "[resourceGroup().location]", | ||
| "metadata": { | ||
| "description": "Optional. Location for all resources." | ||
| } | ||
| }, | ||
| "lock": { | ||
| "$ref": "#/definitions/lockType", | ||
| "metadata": { | ||
| "description": "Optional. The lock settings of the service." | ||
| } | ||
| }, | ||
| "roleAssignments": { | ||
| "$ref": "#/definitions/roleAssignmentType", | ||
| "metadata": { | ||
| "description": "Optional. Array of role assignments to create." | ||
| } | ||
| }, | ||
| "tags": { | ||
| "type": "object", | ||
| "nullable": true, | ||
| "metadata": { | ||
| "description": "Optional. Tags of the resource." | ||
| } | ||
| }, | ||
| "enableTelemetry": { | ||
| "type": "bool", | ||
| "defaultValue": true, | ||
| "metadata": { | ||
| "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." | ||
| } | ||
| } | ||
| }, | ||
| "variables": { | ||
| "builtInRoleNames": { | ||
| "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", | ||
| "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", | ||
| "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", | ||
| "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", | ||
| "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" | ||
| } | ||
| }, | ||
| "resources": { | ||
| "avmTelemetry": { | ||
| "condition": "[parameters('enableTelemetry')]", | ||
| "type": "Microsoft.Resources/deployments", | ||
| "apiVersion": "2023-07-01", | ||
| "name": "[format('46d3xbcp.res.network-ddosprotectionplan.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", | ||
| "properties": { | ||
| "mode": "Incremental", | ||
| "template": { | ||
| "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", | ||
| "contentVersion": "1.0.0.0", | ||
| "resources": [], | ||
| "outputs": { | ||
| "telemetry": { | ||
| "type": "String", | ||
| "value": "For more information, see https://aka.ms/avm/TelemetryInfo" | ||
| } | ||
| } | ||
| } | ||
| } | ||
| }, | ||
| "ddosProtectionPlan": { | ||
| "type": "Microsoft.Network/ddosProtectionPlans", | ||
| "apiVersion": "2023-04-01", | ||
| "name": "[parameters('name')]", | ||
| "location": "[parameters('location')]", | ||
| "tags": "[parameters('tags')]", | ||
| "properties": {} | ||
| }, | ||
| "ddosProtectionPlan_lock": { | ||
| "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", | ||
| "type": "Microsoft.Authorization/locks", | ||
| "apiVersion": "2020-05-01", | ||
| "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", | ||
| "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", | ||
| "properties": { | ||
| "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", | ||
| "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" | ||
| }, | ||
| "dependsOn": [ | ||
| "ddosProtectionPlan" | ||
| ] | ||
| }, | ||
| "ddosProtectionPlan_roleAssignments": { | ||
| "copy": { | ||
| "name": "ddosProtectionPlan_roleAssignments", | ||
| "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" | ||
| }, | ||
| "type": "Microsoft.Authorization/roleAssignments", | ||
| "apiVersion": "2022-04-01", | ||
| "scope": "[format('Microsoft.Network/ddosProtectionPlans/{0}', parameters('name'))]", | ||
| "name": "[guid(resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", | ||
| "properties": { | ||
| "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", | ||
| "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", | ||
| "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", | ||
| "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", | ||
| "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", | ||
| "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", | ||
| "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" | ||
| }, | ||
| "dependsOn": [ | ||
| "ddosProtectionPlan" | ||
| ] | ||
| } | ||
| }, | ||
| "outputs": { | ||
| "resourceGroupName": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "The resource group the DDOS protection plan was deployed into." | ||
| }, | ||
| "value": "[resourceGroup().name]" | ||
| }, | ||
| "resourceId": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "The resource ID of the DDOS protection plan." | ||
| }, | ||
| "value": "[resourceId('Microsoft.Network/ddosProtectionPlans', parameters('name'))]" | ||
| }, | ||
| "name": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "The name of the DDOS protection plan." | ||
| }, | ||
| "value": "[parameters('name')]" | ||
| }, | ||
| "location": { | ||
| "type": "string", | ||
| "metadata": { | ||
| "description": "The location the resource was deployed into." | ||
| }, | ||
| "value": "[reference('ddosProtectionPlan', '2023-04-01', 'full').location]" | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.