From 305f9a5684f60817df4b93b63eb6b3f942d38e77 Mon Sep 17 00:00:00 2001 From: bobmclane999 <142896605+bobmclane999@users.noreply.github.com> Date: Mon, 10 Jun 2024 02:12:45 +0100 Subject: [PATCH] feat: additional parameters, including CMK, for `avm/res/net-app/net-app-account` (#2089) ## Description ## Pipeline Reference | Pipeline | | -------- | | [![avm.res.net-app.net-app-account](https://github.com/bobmclane999/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml/badge.svg)](https://github.com/bobmclane999/bicep-registry-modules/actions/workflows/avm.res.net-app.net-app-account.yml) | See this run: https://github.com/bobmclane999/bicep-registry-modules/actions/runs/9418453527 ## Type of Change - [ ] Update to CI Environment or utlities (Non-module effecting changes) - [ ] Azure Verified Module updates: - [ ] Bugfix containing backwards compatible bug fixes, and I have NOT bumped the MAJOR or MINOR version in `version.json`: - [ ] Someone has opened a bug report issue, and I have included "Closes #{bug_report_issue_number}" in the PR description. - [ ] The bug was found by the module author, and no one has opened an issue to report it yet. - [ ] Feature update backwards compatible feature updates, and I have bumped the MINOR version in `version.json`. - [ ] Breaking changes and I have bumped the MAJOR version in `version.json`. - [ ] Update to documentation ## Checklist - [ ] I'm sure there are no other open Pull Requests for the same update/change - [ ] I have run `Set-AVMModule` locally to generate the supporting module files. - [ ] My corresponding pipelines / checks run clean and green without any errors or warnings --------- Co-authored-by: Jack Tracey <41163455+jtracey93@users.noreply.github.com> Co-authored-by: Erika Gressi <56914614+eriqua@users.noreply.github.com> --- avm/res/net-app/net-app-account/README.md | 74 ++++++++++- .../net-app-account/capacity-pool/README.md | 4 +- .../net-app-account/capacity-pool/main.bicep | 4 +- .../net-app-account/capacity-pool/main.json | 22 ++-- .../capacity-pool/volume/README.md | 2 +- .../capacity-pool/volume/main.bicep | 6 +- .../capacity-pool/volume/main.json | 12 +- avm/res/net-app/net-app-account/main.bicep | 108 +++++++++++---- avm/res/net-app/net-app-account/main.json | 123 +++++++++++++++--- 9 files changed, 285 insertions(+), 70 deletions(-) diff --git a/avm/res/net-app/net-app-account/README.md b/avm/res/net-app/net-app-account/README.md index cab3531c89..70904aa677 100644 --- a/avm/res/net-app/net-app-account/README.md +++ b/avm/res/net-app/net-app-account/README.md @@ -17,9 +17,9 @@ This module deploys an Azure NetApp File. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) | +| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Usage examples @@ -645,13 +645,16 @@ module netAppAccount 'br/public:avm/res/net-app/net-app-account:' = { | Parameter | Type | Description | | :-- | :-- | :-- | +| [`aesEncryption`](#parameter-aesencryption) | bool | Enable AES encryption on the SMB Server. | | [`capacityPools`](#parameter-capacitypools) | array | Capacity pools to create. | +| [`customerManagedKey`](#parameter-customermanagedkey) | object | The customer managed key definition. | | [`dnsServers`](#parameter-dnsservers) | string | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | | [`domainJoinOU`](#parameter-domainjoinou) | string | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | | [`domainJoinPassword`](#parameter-domainjoinpassword) | securestring | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | | [`domainJoinUser`](#parameter-domainjoinuser) | string | Required if domainName is specified. Username of Active Directory domain administrator, with permissions to create SMB server machine account in the AD domain. | | [`domainName`](#parameter-domainname) | string | Fully Qualified Active Directory DNS Domain Name (e.g. 'contoso.com'). | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | +| [`ldapSigning`](#parameter-ldapsigning) | bool | Specifies whether or not the LDAP traffic needs to be signed. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | @@ -666,6 +669,14 @@ The name of the NetApp account. - Required: Yes - Type: string +### Parameter: `aesEncryption` + +Enable AES encryption on the SMB Server. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `capacityPools` Capacity pools to create. @@ -674,6 +685,55 @@ Capacity pools to create. - Type: array - Default: `[]` +### Parameter: `customerManagedKey` + +The customer managed key definition. + +- Required: No +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyName`](#parameter-customermanagedkeykeyname) | string | The name of the customer managed key to use for encryption. | +| [`keyVaultResourceId`](#parameter-customermanagedkeykeyvaultresourceid) | string | The resource ID of a key vault to reference a customer managed key for encryption from. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`keyVersion`](#parameter-customermanagedkeykeyversion) | string | The version of the customer managed key to reference for encryption. If not provided, using 'latest'. | +| [`userAssignedIdentityResourceId`](#parameter-customermanagedkeyuserassignedidentityresourceid) | string | User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. | + +### Parameter: `customerManagedKey.keyName` + +The name of the customer managed key to use for encryption. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVaultResourceId` + +The resource ID of a key vault to reference a customer managed key for encryption from. + +- Required: Yes +- Type: string + +### Parameter: `customerManagedKey.keyVersion` + +The version of the customer managed key to reference for encryption. If not provided, using 'latest'. + +- Required: No +- Type: string + +### Parameter: `customerManagedKey.userAssignedIdentityResourceId` + +User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use. + +- Required: No +- Type: string + ### Parameter: `dnsServers` Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. @@ -722,6 +782,14 @@ Enable/Disable usage telemetry for module. - Type: bool - Default: `True` +### Parameter: `ldapSigning` + +Specifies whether or not the LDAP traffic needs to be signed. + +- Required: No +- Type: bool +- Default: `False` + ### Parameter: `location` Location for all resources. diff --git a/avm/res/net-app/net-app-account/capacity-pool/README.md b/avm/res/net-app/net-app-account/capacity-pool/README.md index c8c55afaa8..d72b6183a5 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/README.md +++ b/avm/res/net-app/net-app-account/capacity-pool/README.md @@ -15,8 +15,8 @@ This module deploys an Azure NetApp Files Capacity Pool. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Parameters diff --git a/avm/res/net-app/net-app-account/capacity-pool/main.bicep b/avm/res/net-app/net-app-account/capacity-pool/main.bicep index 31470d825b..40d3ff8012 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/main.bicep +++ b/avm/res/net-app/net-app-account/capacity-pool/main.bicep @@ -63,11 +63,11 @@ var builtInRoleNames = { ) } -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2023-11-01' existing = { name: netAppAccountName } -resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-11-01' = { +resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2023-11-01' = { name: name parent: netAppAccount location: location diff --git a/avm/res/net-app/net-app-account/capacity-pool/main.json b/avm/res/net-app/net-app-account/capacity-pool/main.json index 9a7443b188..b8e5230700 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/main.json +++ b/avm/res/net-app/net-app-account/capacity-pool/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "9491401922190427460" + "version": "0.27.1.19265", + "templateHash": "16622075120254910820" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -182,12 +182,12 @@ "netAppAccount": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('netAppAccountName')]" }, "capacityPool": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -273,8 +273,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "9587584861242006945" + "version": "0.27.1.19265", + "templateHash": "8316026534353601275" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -440,7 +440,7 @@ "netAppAccount::capacityPool": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", "dependsOn": [ "netAppAccount" @@ -449,12 +449,12 @@ "netAppAccount": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('netAppAccountName')]" }, "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -519,7 +519,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('volume', '2022-11-01', 'full').location]" + "value": "[reference('volume', '2023-11-01', 'full').location]" } } } @@ -557,7 +557,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('capacityPool', '2022-11-01', 'full').location]" + "value": "[reference('capacityPool', '2023-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/README.md b/avm/res/net-app/net-app-account/capacity-pool/volume/README.md index f498296bd2..e2e33a659a 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/volume/README.md +++ b/avm/res/net-app/net-app-account/capacity-pool/volume/README.md @@ -15,7 +15,7 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/2022-11-01/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Parameters diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep b/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep index 090acc9bc9..1ec28707cb 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep +++ b/avm/res/net-app/net-app-account/capacity-pool/volume/main.bicep @@ -55,15 +55,15 @@ var builtInRoleNames = { ) } -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2023-11-01' existing = { name: netAppAccountName - resource capacityPool 'capacityPools@2022-11-01' existing = { + resource capacityPool 'capacityPools@2023-11-01' existing = { name: capacityPoolName } } -resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-01' = { +resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2023-11-01' = { name: name parent: netAppAccount::capacityPool location: location diff --git a/avm/res/net-app/net-app-account/capacity-pool/volume/main.json b/avm/res/net-app/net-app-account/capacity-pool/volume/main.json index 864cc09926..7f2640cf7b 100644 --- a/avm/res/net-app/net-app-account/capacity-pool/volume/main.json +++ b/avm/res/net-app/net-app-account/capacity-pool/volume/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "9587584861242006945" + "version": "0.27.1.19265", + "templateHash": "8316026534353601275" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -172,7 +172,7 @@ "netAppAccount::capacityPool": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", "dependsOn": [ "netAppAccount" @@ -181,12 +181,12 @@ "netAppAccount": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('netAppAccountName')]" }, "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -251,7 +251,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('volume', '2022-11-01', 'full').location]" + "value": "[reference('volume', '2023-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/avm/res/net-app/net-app-account/main.bicep b/avm/res/net-app/net-app-account/main.bicep index e459b4133d..da40232020 100644 --- a/avm/res/net-app/net-app-account/main.bicep +++ b/avm/res/net-app/net-app-account/main.bicep @@ -5,6 +5,12 @@ metadata owner = 'Azure/module-maintainers' @description('Required. The name of the NetApp account.') param name string +@description('Optional. Enable AES encryption on the SMB Server.') +param aesEncryption bool = false + +@description('Optional. The customer managed key definition.') +param customerManagedKey customerManagedKeyType + @description('Optional. Fully Qualified Active Directory DNS Domain Name (e.g. \'contoso.com\').') param domainName string = '' @@ -33,6 +39,9 @@ param managedIdentities managedIdentitiesType @description('Optional. Array of role assignments to create.') param roleAssignments roleAssignmentType +@description('Optional. Specifies whether or not the LDAP traffic needs to be signed.') +param ldapSigning bool = false + @description('Optional. Location for all resources.') param location string = resourceGroup().location @@ -47,10 +56,12 @@ param enableTelemetry bool = true var activeDirectoryConnectionProperties = [ { + aesEncryption: !empty(domainName) ? aesEncryption : false username: !empty(domainName) ? domainJoinUser : null password: !empty(domainName) ? domainJoinPassword : null domain: !empty(domainName) ? domainName : null dns: !empty(domainName) ? dnsServers : null + ldapSigning: !empty(domainName) ? ldapSigning : false smbServerName: !empty(domainName) ? smbServerNamePrefix : null organizationalUnit: !empty(domainJoinOU) ? domainJoinOU : null } @@ -83,46 +94,79 @@ var builtInRoleNames = { ) } -resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = - if (enableTelemetry) { - name: '46d3xbcp.res.netapp-netappaccount.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' - properties: { - mode: 'Incremental' - template: { - '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' - contentVersion: '1.0.0.0' - resources: [] - outputs: { - telemetry: { - type: 'String' - value: 'For more information, see https://aka.ms/avm/TelemetryInfo' - } +resource avmTelemetry 'Microsoft.Resources/deployments@2023-07-01' = if (enableTelemetry) { + name: '46d3xbcp.res.netapp-netappaccount.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' + properties: { + mode: 'Incremental' + template: { + '$schema': 'https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#' + contentVersion: '1.0.0.0' + resources: [] + outputs: { + telemetry: { + type: 'String' + value: 'For more information, see https://aka.ms/avm/TelemetryInfo' } } } } +} + +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId)) { + name: last(split((customerManagedKey.?keyVaultResourceId ?? 'dummyVault'), '/')) + scope: resourceGroup( + split((customerManagedKey.?keyVaultResourceId ?? '//'), '/')[2], + split((customerManagedKey.?keyVaultResourceId ?? '////'), '/')[4] + ) + + resource cMKKey 'keys@2023-02-01' existing = if (!empty(customerManagedKey.?keyVaultResourceId) && !empty(customerManagedKey.?keyName)) { + name: customerManagedKey.?keyName ?? 'dummyKey' + } +} -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = { +resource cMKUserAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' existing = if (!empty(customerManagedKey.?userAssignedIdentityResourceId)) { + name: last(split(customerManagedKey.?userAssignedIdentityResourceId ?? 'dummyMsi', '/')) + scope: resourceGroup( + split((customerManagedKey.?userAssignedIdentityResourceId ?? '//'), '/')[2], + split((customerManagedKey.?userAssignedIdentityResourceId ?? '////'), '/')[4] + ) +} + +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2023-11-01' = { name: name tags: tags identity: identity location: location properties: { activeDirectories: !empty(domainName) ? activeDirectoryConnectionProperties : null + encryption: !empty(customerManagedKey) + ? { + identity: !empty(customerManagedKey.?userAssignedIdentityResourceId) + ? { + userAssignedIdentity: cMKUserAssignedIdentity.id + } + : null + keySource: 'Microsoft.KeyVault' + keyVaultProperties: { + keyName: customerManagedKey!.keyName + keyVaultResourceId: cMKKeyVault.id + keyVaultUri: cMKKeyVault.properties.vaultUri + } + } + : null } } -resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = - if (!empty(lock ?? {}) && lock.?kind != 'None') { - name: lock.?name ?? 'lock-${name}' - properties: { - level: lock.?kind ?? '' - notes: lock.?kind == 'CanNotDelete' - ? 'Cannot delete resource or child resources.' - : 'Cannot delete or modify the resource or child resources.' - } - scope: netAppAccount +resource netAppAccount_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { + name: lock.?name ?? 'lock-${name}' + properties: { + level: lock.?kind ?? '' + notes: lock.?kind == 'CanNotDelete' + ? 'Cannot delete resource or child resources.' + : 'Cannot delete or modify the resource or child resources.' } + scope: netAppAccount +} resource netAppAccount_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ for (roleAssignment, index) in (roleAssignments ?? []): { @@ -214,3 +258,17 @@ type roleAssignmentType = { @description('Optional. The Resource Id of the delegated managed identity resource.') delegatedManagedIdentityResourceId: string? }[]? + +type customerManagedKeyType = { + @description('Required. The resource ID of a key vault to reference a customer managed key for encryption from.') + keyVaultResourceId: string + + @description('Required. The name of the customer managed key to use for encryption.') + keyName: string + + @description('Optional. The version of the customer managed key to reference for encryption. If not provided, using \'latest\'.') + keyVersion: string? + + @description('Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use.') + userAssignedIdentityResourceId: string? +}? diff --git a/avm/res/net-app/net-app-account/main.json b/avm/res/net-app/net-app-account/main.json index 0a8f097fdb..4924115bf0 100644 --- a/avm/res/net-app/net-app-account/main.json +++ b/avm/res/net-app/net-app-account/main.json @@ -5,8 +5,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "5838174533550571700" + "version": "0.27.1.19265", + "templateHash": "17614166962197031000" }, "name": "Azure NetApp Files", "description": "This module deploys an Azure NetApp File.", @@ -118,6 +118,38 @@ } }, "nullable": true + }, + "customerManagedKeyType": { + "type": "object", + "properties": { + "keyVaultResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of a key vault to reference a customer managed key for encryption from." + } + }, + "keyName": { + "type": "string", + "metadata": { + "description": "Required. The name of the customer managed key to use for encryption." + } + }, + "keyVersion": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The version of the customer managed key to reference for encryption. If not provided, using 'latest'." + } + }, + "userAssignedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. User assigned identity to use when fetching the customer managed key. Required if no system assigned identity is available for use." + } + } + }, + "nullable": true } }, "parameters": { @@ -127,6 +159,19 @@ "description": "Required. The name of the NetApp account." } }, + "aesEncryption": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable AES encryption on the SMB Server." + } + }, + "customerManagedKey": { + "$ref": "#/definitions/customerManagedKeyType", + "metadata": { + "description": "Optional. The customer managed key definition." + } + }, "domainName": { "type": "string", "defaultValue": "", @@ -188,6 +233,13 @@ "description": "Optional. Array of role assignments to create." } }, + "ldapSigning": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Specifies whether or not the LDAP traffic needs to be signed." + } + }, "location": { "type": "string", "defaultValue": "[resourceGroup().location]", @@ -219,10 +271,12 @@ "variables": { "activeDirectoryConnectionProperties": [ { + "aesEncryption": "[if(not(empty(parameters('domainName'))), parameters('aesEncryption'), false())]", "username": "[if(not(empty(parameters('domainName'))), parameters('domainJoinUser'), null())]", "password": "[if(not(empty(parameters('domainName'))), parameters('domainJoinPassword'), null())]", "domain": "[if(not(empty(parameters('domainName'))), parameters('domainName'), null())]", "dns": "[if(not(empty(parameters('domainName'))), parameters('dnsServers'), null())]", + "ldapSigning": "[if(not(empty(parameters('domainName'))), parameters('ldapSigning'), false())]", "smbServerName": "[if(not(empty(parameters('domainName'))), parameters('smbServerNamePrefix'), null())]", "organizationalUnit": "[if(not(empty(parameters('domainJoinOU'))), parameters('domainJoinOU'), null())]" } @@ -238,6 +292,18 @@ } }, "resources": { + "cMKKeyVault::cMKKey": { + "condition": "[and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), and(not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'))), not(empty(tryGet(parameters('customerManagedKey'), 'keyName')))))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults/keys", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[format('{0}/{1}', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/')), coalesce(tryGet(parameters('customerManagedKey'), 'keyName'), 'dummyKey'))]", + "dependsOn": [ + "cMKKeyVault" + ] + }, "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", @@ -258,16 +324,39 @@ } } }, + "cMKKeyVault": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId')))]", + "existing": true, + "type": "Microsoft.KeyVault/vaults", + "apiVersion": "2023-02-01", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))]" + }, + "cMKUserAssignedIdentity": { + "condition": "[not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId')))]", + "existing": true, + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2023-01-31", + "subscriptionId": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]]", + "name": "[last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/'))]" + }, "netAppAccount": { "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('name')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "location": "[parameters('location')]", "properties": { - "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]" - } + "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]", + "encryption": "[if(not(empty(parameters('customerManagedKey'))), createObject('identity', if(not(empty(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'))), createObject('userAssignedIdentity', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), '////'), '/')[4]), 'Microsoft.ManagedIdentity/userAssignedIdentities', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'userAssignedIdentityResourceId'), 'dummyMsi'), '/')))), null()), 'keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyName', parameters('customerManagedKey').keyName, 'keyVaultResourceId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), '////'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(coalesce(tryGet(parameters('customerManagedKey'), 'keyVaultResourceId'), 'dummyVault'), '/'))), 'keyVaultUri', reference('cMKKeyVault').vaultUri)), null())]" + }, + "dependsOn": [ + "cMKKeyVault", + "cMKUserAssignedIdentity" + ] }, "netAppAccount_lock": { "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", @@ -348,8 +437,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "9491401922190427460" + "version": "0.27.1.19265", + "templateHash": "16622075120254910820" }, "name": "Azure NetApp Files Capacity Pools", "description": "This module deploys an Azure NetApp Files Capacity Pool.", @@ -525,12 +614,12 @@ "netAppAccount": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('netAppAccountName')]" }, "capacityPool": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -616,8 +705,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.26.54.24096", - "templateHash": "9587584861242006945" + "version": "0.27.1.19265", + "templateHash": "8316026534353601275" }, "name": "Azure NetApp Files Capacity Pool Volumes", "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", @@ -783,7 +872,7 @@ "netAppAccount::capacityPool": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('capacityPoolName'))]", "dependsOn": [ "netAppAccount" @@ -792,12 +881,12 @@ "netAppAccount": { "existing": true, "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[parameters('netAppAccountName')]" }, "volume": { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-11-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -862,7 +951,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('volume', '2022-11-01', 'full').location]" + "value": "[reference('volume', '2023-11-01', 'full').location]" } } } @@ -900,7 +989,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('capacityPool', '2022-11-01', 'full').location]" + "value": "[reference('capacityPool', '2023-11-01', 'full').location]" } } } @@ -937,7 +1026,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('netAppAccount', '2022-11-01', 'full').location]" + "value": "[reference('netAppAccount', '2023-11-01', 'full').location]" } } } \ No newline at end of file