diff --git a/carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep b/carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep index 3b9d22b13..7281725d3 100644 --- a/carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep +++ b/carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep @@ -222,7 +222,7 @@ module publicIPAddress '../../Microsoft.Network/publicIPAddresses/deploy.bicep' ] location: location diagnosticStorageAccountId: diagnosticStorageAccountId - diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays + //diagnosticLogsRetentionInDays: diagnosticLogsRetentionInDays diagnosticWorkspaceId: diagnosticWorkspaceId diagnosticEventHubAuthorizationRuleId: diagnosticEventHubAuthorizationRuleId diagnosticEventHubName: diagnosticEventHubName diff --git a/workload/arm/deploy-baseline.json b/workload/arm/deploy-baseline.json index 587d1c2e7..b0deb342f 100644 --- a/workload/arm/deploy-baseline.json +++ b/workload/arm/deploy-baseline.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1320913085188889159" + "version": "0.21.1.54444", + "templateHash": "2710012389240087448" }, "name": "AVD Accelerator - Baseline Deployment", "description": "AVD Accelerator - Deployment Baseline" @@ -14,32 +14,32 @@ "deploymentPrefix": { "type": "string", "defaultValue": "AVD1", + "minLength": 2, + "maxLength": 4, "metadata": { "description": "The name of the resource group to deploy. (Default: AVD1)" - }, - "maxLength": 4, - "minLength": 2 + } }, "deploymentEnvironment": { "type": "string", "defaultValue": "Dev", - "metadata": { - "description": "The name of the resource group to deploy. (Default: Dev)" - }, "allowedValues": [ "Dev", "Test", "Prod" - ] + ], + "metadata": { + "description": "The name of the resource group to deploy. (Default: Dev)" + } }, "diskEncryptionKeyExpirationInDays": { "type": "int", "defaultValue": 60, + "minValue": 30, + "maxValue": 730, "metadata": { "description": "This value is used to set the expiration date on the disk encryption key. (Default: 60)" - }, - "minValue": 30, - "maxValue": 730 + } }, "avdSessionHostLocation": { "type": "string", @@ -84,14 +84,14 @@ "avdIdentityServiceProvider": { "type": "string", "defaultValue": "ADDS", - "metadata": { - "description": "Required, The service providing domain services for Azure Virtual Desktop. (Default: ADDS)" - }, "allowedValues": [ "ADDS", "AADDS", "AAD" - ] + ], + "metadata": { + "description": "Required, The service providing domain services for Azure Virtual Desktop. (Default: ADDS)" + } }, "createIntuneEnrollment": { "type": "bool", @@ -110,14 +110,14 @@ "avdApplicationGroupIdentityType": { "type": "string", "defaultValue": "Group", - "metadata": { - "description": "Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)" - }, "allowedValues": [ "Group", "ServicePrincipal", "User" - ] + ], + "metadata": { + "description": "Optional, Identity type to grant RBAC role to access AVD application group. (Default: Group)" + } }, "avdIdentityDomainName": { "type": "string", @@ -156,13 +156,13 @@ "avdHostPoolType": { "type": "string", "defaultValue": "Pooled", - "metadata": { - "description": "AVD host pool type. (Default: Pooled)" - }, "allowedValues": [ "Personal", "Pooled" - ] + ], + "metadata": { + "description": "AVD host pool type. (Default: Pooled)" + } }, "hostPoolPreferredAppGroupType": { "type": "string", @@ -178,24 +178,24 @@ "avdPersonalAssignType": { "type": "string", "defaultValue": "Automatic", - "metadata": { - "description": "AVD host pool type. (Default: Automatic)" - }, "allowedValues": [ "Automatic", "Direct" - ] + ], + "metadata": { + "description": "AVD host pool type. (Default: Automatic)" + } }, "avdHostPoolLoadBalancerType": { "type": "string", "defaultValue": "BreadthFirst", - "metadata": { - "description": "AVD host pool load balacing type. (Default: BreadthFirst)" - }, "allowedValues": [ "BreadthFirst", "DepthFirst" - ] + ], + "metadata": { + "description": "AVD host pool load balacing type. (Default: BreadthFirst)" + } }, "hostPoolMaxSessions": { "type": "int", @@ -316,6 +316,20 @@ "description": "Does the hub contains a virtual network gateway. (Default: false)" } }, + "deployAvdFirewall": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Create Azure Firewall and Azure Firewall Policy. (Default: false)" + } + }, + "firewallSubnetAddressPrefix": { + "type": "string", + "defaultValue": "10.0.2.0/24", + "metadata": { + "description": "AzureFirewallSubnet prefixes. (Default: 10.0.2.0/24)" + } + }, "createAvdFslogixDeployment": { "type": "bool", "defaultValue": true, @@ -396,11 +410,11 @@ "avdDeploySessionHostsCount": { "type": "int", "defaultValue": 1, + "minValue": 1, + "maxValue": 100, "metadata": { "description": "Quantity of session hosts to deploy. (Default: 1)" - }, - "maxValue": 100, - "minValue": 1 + } }, "avdSessionHostCountIndex": { "type": "int", @@ -440,24 +454,24 @@ "fslogixStoragePerformance": { "type": "string", "defaultValue": "Premium", - "metadata": { - "description": "Storage account SKU for FSLogix storage. Recommended tier is Premium (Default: Premium)" - }, "allowedValues": [ "Standard", "Premium" - ] + ], + "metadata": { + "description": "Storage account SKU for FSLogix storage. Recommended tier is Premium (Default: Premium)" + } }, "msixStoragePerformance": { "type": "string", "defaultValue": "Premium", - "metadata": { - "description": "Storage account SKU for MSIX storage. Recommended tier is Premium. (Default: Premium)" - }, "allowedValues": [ "Standard", "Premium" - ] + ], + "metadata": { + "description": "Storage account SKU for MSIX storage. Recommended tier is Premium. (Default: Premium)" + } }, "diskZeroTrust": { "type": "bool", @@ -490,14 +504,14 @@ "securityType": { "type": "string", "defaultValue": "TrustedLaunch", - "metadata": { - "description": "Specifies the securityType of the virtual machine. \"ConfidentialVM\" and \"TrustedLaunch\" require a Gen2 Image. (Default: TrustedLaunch)" - }, "allowedValues": [ "Standard", "TrustedLaunch", "ConfidentialVM" - ] + ], + "metadata": { + "description": "Specifies the securityType of the virtual machine. \"ConfidentialVM\" and \"TrustedLaunch\" require a Gen2 Image. (Default: TrustedLaunch)" + } }, "secureBootEnabled": { "type": "bool", @@ -516,9 +530,6 @@ "avdOsImage": { "type": "string", "defaultValue": "win11_22h2", - "metadata": { - "description": "AVD OS image SKU. (Default: win11-21h2)" - }, "allowedValues": [ "win10_21h2", "win10_21h2_office", @@ -528,7 +539,10 @@ "win11_21h2_office", "win11_22h2", "win11_22h2_office" - ] + ], + "metadata": { + "description": "AVD OS image SKU. (Default: win11-21h2)" + } }, "managementVmOsImage": { "type": "string", @@ -575,194 +589,194 @@ "avdServiceObjectsRgCustomName": { "type": "string", "defaultValue": "rg-avd-app1-dev-use2-service-objects", + "maxLength": 90, "metadata": { "description": "AVD service resources resource group custom name. (Default: rg-avd-app1-dev-use2-service-objects)" - }, - "maxLength": 90 + } }, "avdNetworkObjectsRgCustomName": { "type": "string", "defaultValue": "rg-avd-app1-dev-use2-network", + "maxLength": 90, "metadata": { "description": "AVD network resources resource group custom name. (Default: rg-avd-app1-dev-use2-network)" - }, - "maxLength": 90 + } }, "avdComputeObjectsRgCustomName": { "type": "string", "defaultValue": "rg-avd-app1-dev-use2-pool-compute", + "maxLength": 90, "metadata": { "description": "AVD network resources resource group custom name. (Default: rg-avd-app1-dev-use2-pool-compute)" - }, - "maxLength": 90 + } }, "avdStorageObjectsRgCustomName": { "type": "string", "defaultValue": "rg-avd-app1-dev-use2-storage", + "maxLength": 90, "metadata": { "description": "AVD network resources resource group custom name. (Default: rg-avd-app1-dev-use2-storage)" - }, - "maxLength": 90 + } }, "avdMonitoringRgCustomName": { "type": "string", "defaultValue": "rg-avd-dev-use2-monitoring", + "maxLength": 90, "metadata": { "description": "AVD monitoring resource group custom name. (Default: rg-avd-dev-use2-monitoring)" - }, - "maxLength": 90 + } }, "avdVnetworkCustomName": { "type": "string", "defaultValue": "vnet-app1-dev-use2-001", + "maxLength": 64, "metadata": { "description": "AVD virtual network custom name. (Default: vnet-app1-dev-use2-001)" - }, - "maxLength": 64 + } }, "avdAlaWorkspaceCustomName": { "type": "string", "defaultValue": "log-avd-app1-dev-use2", + "maxLength": 64, "metadata": { "description": "AVD Azure log analytics workspace custom name. (Default: log-avd-app1-dev-use2)" - }, - "maxLength": 64 + } }, "avdVnetworkSubnetCustomName": { "type": "string", "defaultValue": "snet-avd-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "AVD virtual network subnet custom name. (Default: snet-avd-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "privateEndpointVnetworkSubnetCustomName": { "type": "string", "defaultValue": "snet-pe-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "private endpoints virtual network subnet custom name. (Default: snet-pe-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "avdNetworksecurityGroupCustomName": { "type": "string", "defaultValue": "nsg-avd-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "AVD network security group custom name. (Default: nsg-avd-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "privateEndpointNetworksecurityGroupCustomName": { "type": "string", "defaultValue": "nsg-pe-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "Private endpoint network security group custom name. (Default: nsg-pe-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "avdRouteTableCustomName": { "type": "string", "defaultValue": "route-avd-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "AVD route table custom name. (Default: route-avd-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "privateEndpointRouteTableCustomName": { "type": "string", "defaultValue": "route-pe-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "Private endpoint route table custom name. (Default: route-avd-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "avdApplicationSecurityGroupCustomName": { "type": "string", "defaultValue": "asg-app1-dev-use2-001", + "maxLength": 80, "metadata": { "description": "AVD application security custom name. (Default: asg-app1-dev-use2-001)" - }, - "maxLength": 80 + } }, "avdWorkSpaceCustomName": { "type": "string", "defaultValue": "vdws-app1-dev-use2-001", + "maxLength": 64, "metadata": { "description": "AVD workspace custom name. (Default: vdws-app1-dev-use2-001)" - }, - "maxLength": 64 + } }, "avdWorkSpaceCustomFriendlyName": { "type": "string", "defaultValue": "App1 - Dev - East US 2 - 001", + "maxLength": 64, "metadata": { "description": "AVD workspace custom friendly (Display) name. (Default: App1 - Dev - East US 2 - 001)" - }, - "maxLength": 64 + } }, "avdHostPoolCustomName": { "type": "string", "defaultValue": "vdpool-app1-dev-use2-001", + "maxLength": 64, "metadata": { "description": "AVD host pool custom name. (Default: vdpool-app1-dev-use2-001)" - }, - "maxLength": 64 + } }, "avdHostPoolCustomFriendlyName": { "type": "string", "defaultValue": "App1 - Dev - East US 2 - 001", + "maxLength": 64, "metadata": { "description": "AVD host pool custom friendly (Display) name. (Default: App1 - East US - Dev - 001)" - }, - "maxLength": 64 + } }, "avdScalingPlanCustomName": { "type": "string", "defaultValue": "vdscaling-app1-dev-use2-001", + "maxLength": 64, "metadata": { "description": "AVD scaling plan custom name. (Default: vdscaling-app1-dev-use2-001)" - }, - "maxLength": 64 + } }, "avdApplicationGroupCustomName": { "type": "string", "defaultValue": "vdag-desktop-app1-dev-use2-001", + "maxLength": 64, "metadata": { "description": "AVD desktop application group custom name. (Default: vdag-desktop-app1-dev-use2-001)" - }, - "maxLength": 64 + } }, "avdApplicationGroupCustomFriendlyName": { "type": "string", "defaultValue": "Desktops - App1 - Dev - East US 2 - 001", + "maxLength": 64, "metadata": { "description": "AVD desktop application group custom friendly (Display) name. (Default: Desktops - App1 - East US - Dev - 001)" - }, - "maxLength": 64 + } }, "avdSessionHostCustomNamePrefix": { "type": "string", "defaultValue": "vmapp1duse2", + "maxLength": 11, "metadata": { "description": "AVD session host prefix custom name. (Default: vmapp1duse2)" - }, - "maxLength": 11 + } }, "avsetCustomNamePrefix": { "type": "string", "defaultValue": "avail", + "maxLength": 9, "metadata": { "description": "AVD availability set custom name. (Default: avail)" - }, - "maxLength": 9 + } }, "storageAccountPrefixCustomName": { "type": "string", "defaultValue": "st", + "maxLength": 2, "metadata": { "description": "AVD FSLogix and MSIX app attach storage account prefix custom name. (Default: st)" - }, - "maxLength": 2 + } }, "fslogixFileShareCustomName": { "type": "string", @@ -781,34 +795,34 @@ "avdWrklKvPrefixCustomName": { "type": "string", "defaultValue": "kv-sec", + "maxLength": 6, "metadata": { "description": "AVD keyvault prefix custom name (with Zero Trust to store credentials to domain join and local admin). (Default: kv-sec)" - }, - "maxLength": 6 + } }, "ztDiskEncryptionSetCustomNamePrefix": { "type": "string", "defaultValue": "des-zt", + "maxLength": 6, "metadata": { "description": "AVD disk encryption set custom name. (Default: des-zt)" - }, - "maxLength": 6 + } }, "ztManagedIdentityCustomName": { "type": "string", "defaultValue": "id-zt", + "maxLength": 5, "metadata": { "description": "AVD managed identity for zero trust to encrypt managed disks using a customer managed key. (Default: id-zt)" - }, - "maxLength": 5 + } }, "ztKvPrefixCustomName": { "type": "string", "defaultValue": "kv-key", + "maxLength": 6, "metadata": { "description": "AVD key vault custom name for zero trust and store store disk encryption key (Default: kv-key)" - }, - "maxLength": 6 + } }, "createResourceTags": { "type": "bool", @@ -827,29 +841,29 @@ "workloadTypeTag": { "type": "string", "defaultValue": "Light", - "metadata": { - "description": "Reference to the size of the VM for your workloads (Default: Light)" - }, "allowedValues": [ "Light", "Medium", "High", "Power" - ] + ], + "metadata": { + "description": "Reference to the size of the VM for your workloads (Default: Light)" + } }, "dataClassificationTag": { "type": "string", "defaultValue": "Non-business", - "metadata": { - "description": "Sensitivity of data hosted (Default: Non-business)" - }, "allowedValues": [ "Non-business", "Public", "General", "Confidential", "Highly-confidential" - ] + ], + "metadata": { + "description": "Sensitivity of data hosted (Default: Non-business)" + } }, "departmentTag": { "type": "string", @@ -861,16 +875,16 @@ "workloadCriticalityTag": { "type": "string", "defaultValue": "Low", - "metadata": { - "description": "Criticality of the workload. (Default: Low)" - }, "allowedValues": [ "Low", "Medium", "High", "Mission-critical", "Custom" - ] + ], + "metadata": { + "description": "Criticality of the workload. (Default: Low)" + } }, "workloadCriticalityCustomValueTag": { "type": "string", @@ -1234,6 +1248,13 @@ "varAvdRouteTableName": "[if(parameters('avdUseCustomNaming'), parameters('avdRouteTableCustomName'), format('route-avd-{0}-001', variables('varComputeStorageResourcesNamingStandard')))]", "varPrivateEndpointRouteTableName": "[if(parameters('avdUseCustomNaming'), parameters('privateEndpointRouteTableCustomName'), format('route-pe-{0}-001', variables('varComputeStorageResourcesNamingStandard')))]", "varApplicationSecurityGroupName": "[if(parameters('avdUseCustomNaming'), parameters('avdApplicationSecurityGroupCustomName'), format('asg-{0}-001', variables('varComputeStorageResourcesNamingStandard')))]", + "varFiwewallName": "[format('fw-avd-{0}', variables('varHubVnetName'))]", + "varFiwewallPolicyName": "[format('fwpol-avd-{0}', variables('varHubVnetName'))]", + "varFiwewallPolicyRuleCollectionGroupName": "[format('{0}-rcg', variables('varFiwewallPolicyName'))]", + "varFiwewallPolicyNetworkRuleCollectionName": "[format('{0}-nw-rule-collection', variables('varFiwewallPolicyName'))]", + "varFiwewallPolicyOptionalRuleCollectionGroupName": "[format('{0}-rcg-optional', variables('varFiwewallPolicyName'))]", + "varFiwewallPolicyOptionalNetworkRuleCollectionName": "[format('{0}-nw-rule-collection-optional', variables('varFiwewallPolicyName'))]", + "varFiwewallPolicyOptionalApplicationRuleCollectionName": "[format('{0}-app-rule-collection-optional', variables('varFiwewallPolicyName'))]", "varWorkSpaceName": "[if(parameters('avdUseCustomNaming'), parameters('avdWorkSpaceCustomName'), format('vdws-{0}-001', variables('varManagementPlaneNamingStandard')))]", "varWorkSpaceFriendlyName": "[if(parameters('avdUseCustomNaming'), parameters('avdWorkSpaceCustomFriendlyName'), format('Workspace {0} {1} {2} 001', parameters('deploymentPrefix'), parameters('deploymentEnvironment'), parameters('avdManagementPlaneLocation')))]", "varHostPoolName": "[if(parameters('avdUseCustomNaming'), parameters('avdHostPoolCustomName'), format('vdpool-{0}-001', variables('varManagementPlaneNamingStandard')))]", @@ -1560,8 +1581,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16670742080494531396" + "version": "0.21.1.54444", + "templateHash": "16305048561599990873" } }, "parameters": { @@ -1581,14 +1602,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -1669,8 +1690,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6601448312481874939" + "version": "0.21.1.54444", + "templateHash": "6750369994052504038" } }, "parameters": { @@ -1683,13 +1704,13 @@ }, "level": { "type": "string", - "metadata": { - "description": "Required. Set lock level." - }, "allowedValues": [ "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Required. Set lock level." + } }, "notes": { "type": "string", @@ -1799,8 +1820,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10998474410748060366" + "version": "0.21.1.54444", + "templateHash": "1146156557420886689" } }, "parameters": { @@ -2160,8 +2181,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16670742080494531396" + "version": "0.21.1.54444", + "templateHash": "16305048561599990873" } }, "parameters": { @@ -2181,14 +2202,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -2269,8 +2290,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6601448312481874939" + "version": "0.21.1.54444", + "templateHash": "6750369994052504038" } }, "parameters": { @@ -2283,13 +2304,13 @@ }, "level": { "type": "string", - "metadata": { - "description": "Required. Set lock level." - }, "allowedValues": [ "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Required. Set lock level." + } }, "notes": { "type": "string", @@ -2399,8 +2420,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10998474410748060366" + "version": "0.21.1.54444", + "templateHash": "1146156557420886689" } }, "parameters": { @@ -2755,8 +2776,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16670742080494531396" + "version": "0.21.1.54444", + "templateHash": "16305048561599990873" } }, "parameters": { @@ -2776,14 +2797,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -2864,8 +2885,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6601448312481874939" + "version": "0.21.1.54444", + "templateHash": "6750369994052504038" } }, "parameters": { @@ -2878,13 +2899,13 @@ }, "level": { "type": "string", - "metadata": { - "description": "Required. Set lock level." - }, "allowedValues": [ "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Required. Set lock level." + } }, "notes": { "type": "string", @@ -2994,8 +3015,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10998474410748060366" + "version": "0.21.1.54444", + "templateHash": "1146156557420886689" } }, "parameters": { @@ -3368,8 +3389,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3035548163754880904" + "version": "0.21.1.54444", + "templateHash": "3182944092420253110" } }, "parameters": { @@ -3492,8 +3513,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16670742080494531396" + "version": "0.21.1.54444", + "templateHash": "16305048561599990873" } }, "parameters": { @@ -3513,14 +3534,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -3601,8 +3622,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6601448312481874939" + "version": "0.21.1.54444", + "templateHash": "6750369994052504038" } }, "parameters": { @@ -3615,13 +3636,13 @@ }, "level": { "type": "string", - "metadata": { - "description": "Required. Set lock level." - }, "allowedValues": [ "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Required. Set lock level." + } }, "notes": { "type": "string", @@ -3731,8 +3752,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10998474410748060366" + "version": "0.21.1.54444", + "templateHash": "1146156557420886689" } }, "parameters": { @@ -4092,8 +4113,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9723296804992458231" + "version": "0.21.1.54444", + "templateHash": "1156178304169403377" } }, "parameters": { @@ -4182,8 +4203,8 @@ "dataRetention": { "type": "int", "defaultValue": 365, - "maxValue": 730, "minValue": 0, + "maxValue": 730, "metadata": { "description": "Optional. Number of days data will be retained for." } @@ -4242,8 +4263,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -4286,14 +4307,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -4486,8 +4507,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1015616738226483875" + "version": "0.21.1.54444", + "templateHash": "13379431903908500265" } }, "parameters": { @@ -4630,8 +4651,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9976669288431551452" + "version": "0.21.1.54444", + "templateHash": "18035599797024630806" } }, "parameters": { @@ -4764,8 +4785,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3402933947779868845" + "version": "0.21.1.54444", + "templateHash": "15194527127560537713" } }, "parameters": { @@ -4899,8 +4920,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12988075953101096314" + "version": "0.21.1.54444", + "templateHash": "14867461711977977980" } }, "parameters": { @@ -5071,15 +5092,15 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3289166297924789550" + "version": "0.21.1.54444", + "templateHash": "1856549003153181310" } }, "parameters": { "name": { "type": "string", - "maxLength": 63, "minLength": 4, + "maxLength": 63, "metadata": { "description": "Required. The data export rule name." } @@ -5218,8 +5239,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "18044483929875331860" + "version": "0.21.1.54444", + "templateHash": "3069063252346343891" } }, "parameters": { @@ -5445,8 +5466,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1145398762062008037" + "version": "0.21.1.54444", + "templateHash": "15607599815412583880" } }, "parameters": { @@ -5490,8 +5511,8 @@ "retentionInDays": { "type": "int", "defaultValue": -1, - "maxValue": 730, "minValue": -1, + "maxValue": 730, "metadata": { "description": "Optional. The table retention in days, between 4 and 730. Setting this property to -1 will default to the workspace retention." } @@ -5513,8 +5534,8 @@ "totalRetentionInDays": { "type": "int", "defaultValue": -1, - "maxValue": 2555, "minValue": -1, + "maxValue": 2555, "metadata": { "description": "Optional. The table total retention in days, between 4 and 2555. Setting this property to -1 will default to table retention." } @@ -5614,8 +5635,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "15503229472224280826" + "version": "0.21.1.54444", + "templateHash": "15387093705469323985" } }, "parameters": { @@ -5765,8 +5786,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7352784420507326330" + "version": "0.21.1.54444", + "templateHash": "3735355062180278453" } }, "parameters": { @@ -5979,8 +6000,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -6121,14 +6142,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -6288,8 +6309,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16579532157576436548" + "version": "0.21.1.54444", + "templateHash": "13887797196136912022" } }, "parameters": { @@ -6620,8 +6641,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5657647834665443119" + "version": "0.21.1.54444", + "templateHash": "12317712979554879023" } }, "parameters": { @@ -6803,8 +6824,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5539435599928560626" + "version": "0.21.1.54444", + "templateHash": "1777331299932618478" } }, "parameters": { @@ -6982,8 +7003,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17165573628970783202" + "version": "0.21.1.54444", + "templateHash": "14228229460676709073" } }, "parameters": { @@ -7251,8 +7272,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13416191842446717007" + "version": "0.21.1.54444", + "templateHash": "4137783479866222342" } }, "parameters": { @@ -7332,8 +7353,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7759814680098607558" + "version": "0.21.1.54444", + "templateHash": "17066253197438681775" } }, "parameters": { @@ -7804,8 +7825,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "18044483929875331860" + "version": "0.21.1.54444", + "templateHash": "3069063252346343891" } }, "parameters": { @@ -8037,8 +8058,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "18044483929875331860" + "version": "0.21.1.54444", + "templateHash": "3069063252346343891" } }, "parameters": { @@ -8342,7 +8363,34 @@ "value": "[variables('varDnsServers')]" }, "tags": "[if(parameters('createResourceTags'), createObject('value', union(variables('varCustomResourceTags'), variables('varAvdDefaultTags'))), createObject('value', variables('varAvdDefaultTags')))]", - "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]" + "alaWorkspaceResourceId": "[if(parameters('avdDeployMonitoring'), if(parameters('deployAlaWorkspace'), createObject('value', reference(subscriptionResourceId('Microsoft.Resources/deployments', format('Monitoring-{0}', parameters('time'))), '2022-09-01').outputs.avdAlaWorkspaceResourceId.value), createObject('value', parameters('alaExistingWorkspaceResourceId'))), createObject('value', ''))]", + "deployAvdFirewall": { + "value": "[parameters('deployAvdFirewall')]" + }, + "firewallName": { + "value": "[variables('varFiwewallName')]" + }, + "firewallPolicyName": { + "value": "[variables('varFiwewallPolicyName')]" + }, + "firewallPolicyRuleCollectionGroupName": { + "value": "[variables('varFiwewallPolicyRuleCollectionGroupName')]" + }, + "firewallPolicyNetworkRuleCollectionName": { + "value": "[variables('varFiwewallPolicyNetworkRuleCollectionName')]" + }, + "firewallPolicyOptionalRuleCollectionGroupName": { + "value": "[variables('varFiwewallPolicyOptionalRuleCollectionGroupName')]" + }, + "firewallPolicyOptionalNetworkRuleCollectionName": { + "value": "[variables('varFiwewallPolicyOptionalNetworkRuleCollectionName')]" + }, + "firewallPolicyOptionalApplicationRuleCollectionName": { + "value": "[variables('varFiwewallPolicyOptionalApplicationRuleCollectionName')]" + }, + "firewallSubnetAddressPrefix": { + "value": "[parameters('firewallSubnetAddressPrefix')]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2018-05-01/subscriptionDeploymentTemplate.json#", @@ -8350,8 +8398,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3756011210515160191" + "version": "0.21.1.54444", + "templateHash": "744206307789280632" } }, "parameters": { @@ -8464,6 +8512,60 @@ "description": "Create virtual network peering to hub." } }, + "deployAvdFirewall": { + "type": "bool", + "metadata": { + "description": "Create firewall and firewall policy to hub virtual network." + } + }, + "firewallName": { + "type": "string", + "metadata": { + "description": "Firewall name" + } + }, + "firewallPolicyName": { + "type": "string", + "metadata": { + "description": "Firewall policy name" + } + }, + "firewallPolicyRuleCollectionGroupName": { + "type": "string", + "metadata": { + "description": "Firewall policy rule collection group name" + } + }, + "firewallPolicyOptionalRuleCollectionGroupName": { + "type": "string", + "metadata": { + "description": "Firewall policy rule collection group name (optional)" + } + }, + "firewallPolicyNetworkRuleCollectionName": { + "type": "string", + "metadata": { + "description": "Firewall policy network rule collection name" + } + }, + "firewallPolicyOptionalNetworkRuleCollectionName": { + "type": "string", + "metadata": { + "description": "Firewall policy network rule collection name (optional)" + } + }, + "firewallPolicyOptionalApplicationRuleCollectionName": { + "type": "string", + "metadata": { + "description": "Firewall policy application rule collection name (optional)" + } + }, + "firewallSubnetAddressPrefix": { + "type": "string", + "metadata": { + "description": "Firewall subnet adderss prefix" + } + }, "deployPrivateEndpointSubnet": { "type": "bool", "metadata": { @@ -8552,7 +8654,10 @@ "varExistingAvdVnetSubId": "[if(not(parameters('createVnet')), split(parameters('existingAvdSubnetResourceId'), '/')[2], '')]", "varExistingAvdVnetSubRgName": "[if(not(parameters('createVnet')), split(parameters('existingAvdSubnetResourceId'), '/')[4], '')]", "varExistingAvdVnetName": "[if(not(parameters('createVnet')), split(parameters('existingAvdSubnetResourceId'), '/')[8], '')]", - "varExistingAvdVnetResourceId": "[if(not(parameters('createVnet')), format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/virtualNetworks/{2}', variables('varExistingAvdVnetSubId'), variables('varExistingAvdVnetSubRgName'), variables('varExistingAvdVnetName')), '')]" + "varExistingAvdVnetResourceId": "[if(not(parameters('createVnet')), format('/subscriptions/{0}/resourceGroups/{1}/providers/Microsoft.Network/virtualNetworks/{2}', variables('varExistingAvdVnetSubId'), variables('varExistingAvdVnetSubRgName'), variables('varExistingAvdVnetName')), '')]", + "varExistingHubSubId": "[split(parameters('existingHubVnetResourceId'), '/')[2]]", + "varExistingHubSubRgName": "[split(parameters('existingHubVnetResourceId'), '/')[4]]", + "varExistingHubVnetName": "[split(parameters('existingHubVnetResourceId'), '/')[8]]" }, "resources": [ { @@ -8692,8 +8797,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2369963613204181171" + "version": "0.21.1.54444", + "templateHash": "12715653640573668517" } }, "parameters": { @@ -8755,14 +8860,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -8956,8 +9061,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2452007385443009245" + "version": "0.21.1.54444", + "templateHash": "369614872700794013" } }, "parameters": { @@ -9201,8 +9306,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "175852501961116138" + "version": "0.21.1.54444", + "templateHash": "8259083650687909209" } }, "parameters": { @@ -9416,8 +9521,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2369963613204181171" + "version": "0.21.1.54444", + "templateHash": "12715653640573668517" } }, "parameters": { @@ -9479,14 +9584,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -9680,8 +9785,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2452007385443009245" + "version": "0.21.1.54444", + "templateHash": "369614872700794013" } }, "parameters": { @@ -9925,8 +10030,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "175852501961116138" + "version": "0.21.1.54444", + "templateHash": "8259083650687909209" } }, "parameters": { @@ -10131,8 +10236,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "4126277245845030634" + "version": "0.21.1.54444", + "templateHash": "16972778608528683628" } }, "parameters": { @@ -10152,358 +10257,358 @@ "lock": { "type": "string", "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], "metadata": { "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/applicationSecurityGroups", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": {} + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + ] + }, + { + "copy": { + "name": "applicationSecurityGroup_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-AppSecurityGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "4152038459218204517" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the application security group was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the application security group." + }, + "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the application security group." + }, + "value": "[parameters('name')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), '2022-07-01', 'full').location]" + } + } + } + } + }, + { + "condition": "[parameters('createVnet')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Route-Table-AVD-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('avdRouteTableName')]" + }, + "location": { + "value": "[parameters('sessionHostLocation')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "routes": "[if(variables('varCreateAvdStaicRoute'), createObject('value', createArray(createObject('name', 'AVDServiceTraffic', 'properties', createObject('addressPrefix', 'WindowsVirtualDesktop', 'hasBgpOverride', true(), 'nextHopType', 'Internet')))), createObject('value', createArray()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "18134341385828267149" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name given for the hub route table." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "routes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. An Array of Routes to be established within the hub route table." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to disable BGP route propagation." + } + }, + "lock": { + "type": "string", + "defaultValue": "", "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] - }, - "roleAssignments": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.Network/applicationSecurityGroups", - "apiVersion": "2022-07-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": {} - }, - { - "condition": "[not(empty(parameters('lock')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", - "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - ] - }, - { - "copy": { - "name": "applicationSecurityGroup_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-AppSecurityGroup-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9764104744913843180" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", - "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", - "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", - "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", - "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", - "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", - "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", - "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", - "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", - "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", - "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", - "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", - "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", - "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", - "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", - "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", - "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", - "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", - "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", - "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", - "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", - "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", - "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", - "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/applicationSecurityGroups/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/applicationSecurityGroups', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - ] - } - ], - "outputs": { - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the application security group was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the application security group." - }, - "value": "[resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name'))]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the application security group." - }, - "value": "[parameters('name')]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Network/applicationSecurityGroups', parameters('name')), '2022-07-01', 'full').location]" - } - } - } - } - }, - { - "condition": "[parameters('createVnet')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Route-Table-AVD-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('avdRouteTableName')]" - }, - "location": { - "value": "[parameters('sessionHostLocation')]" - }, - "tags": { - "value": "[parameters('tags')]" - }, - "routes": "[if(variables('varCreateAvdStaicRoute'), createObject('value', createArray(createObject('name', 'AVDServiceTraffic', 'properties', createObject('addressPrefix', 'WindowsVirtualDesktop', 'hasBgpOverride', true(), 'nextHopType', 'Internet')))), createObject('value', createArray()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3459157471784143501" - } - }, - "parameters": { - "name": { - "type": "string", - "metadata": { - "description": "Required. Name given for the hub route table." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "routes": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. An Array of Routes to be established within the hub route table." - } - }, - "disableBgpRoutePropagation": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Switch to disable BGP route propagation." - } - }, - "lock": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -10601,8 +10706,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17826830289819287737" + "version": "0.21.1.54444", + "templateHash": "15918129007023123856" } }, "parameters": { @@ -10810,8 +10915,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3459157471784143501" + "version": "0.21.1.54444", + "templateHash": "18134341385828267149" } }, "parameters": { @@ -10845,14 +10950,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -10950,8 +11055,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17826830289819287737" + "version": "0.21.1.54444", + "templateHash": "15918129007023123856" } }, "parameters": { @@ -11173,8 +11278,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10436531327774101026" + "version": "0.21.1.54444", + "templateHash": "16057298145739940641" } }, "parameters": { @@ -11235,21 +11340,21 @@ "vnetEncryptionEnforcement": { "type": "string", "defaultValue": "AllowUnencrypted", - "metadata": { - "description": "Optional. If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled." - }, "allowedValues": [ "AllowUnencrypted", "DropUnencrypted" - ] + ], + "metadata": { + "description": "Optional. If the encrypted VNet allows VM that does not support encryption. Can only be used when vnetEncryption is enabled." + } }, "flowTimeoutInMinutes": { "type": "int", "defaultValue": 0, + "maxValue": 30, "metadata": { "description": "Optional. The flow timeout in minutes for the Virtual Network, which is used to enable connection tracking for intra-VM flows. Possible values are between 4 and 30 minutes. Default value 0 will set the property to null." - }, - "maxValue": 30 + } }, "diagnosticStorageAccountId": { "type": "string", @@ -11282,14 +11387,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -11507,8 +11612,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12913964363513527115" + "version": "0.21.1.54444", + "templateHash": "4385347612687619252" } }, "parameters": { @@ -11700,8 +11805,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1508597549221173835" + "version": "0.21.1.54444", + "templateHash": "15642916335871461785" } }, "parameters": { @@ -11923,8 +12028,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12896423701864490964" + "version": "0.21.1.54444", + "templateHash": "4623538711374397842" } }, "parameters": { @@ -12089,8 +12194,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12896423701864490964" + "version": "0.21.1.54444", + "templateHash": "4623538711374397842" } }, "parameters": { @@ -12250,8 +12355,3396 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7449417204208520653" + "version": "0.21.1.54444", + "templateHash": "826837070159019998" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the virtual network was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the virtual network." + }, + "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the virtual network." + }, + "value": "[parameters('name')]" + }, + "subnetNames": { + "type": "array", + "metadata": { + "description": "The names of the deployed subnets." + }, + "copy": { + "count": "[length(parameters('subnets'))]", + "input": "[parameters('subnets')[copyIndex()].name]" + } + }, + "subnetResourceIds": { + "type": "array", + "metadata": { + "description": "The resource IDs of the deployed subnets." + }, + "copy": { + "count": "[length(parameters('subnets'))]", + "input": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), parameters('subnets')[copyIndex()].name)]" + } + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2022-07-01', 'full').location]" + }, + "diagnosticsLogs": { + "type": "array", + "metadata": { + "description": "The Diagnostic Settings of the virtual network." + }, + "value": "[variables('diagnosticsLogs')]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('NSG-AVD-{0}', parameters('time')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('NSG-Private-Endpoint-{0}', parameters('time')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('Route-Table-AVD-{0}', parameters('time')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('Route-Table-PE-{0}', parameters('time')))]" + ] + }, + { + "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureCloud'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Private-DNS-Comm-Files-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateDnsZoneName": { + "value": "privatelink.file.core.windows.net" + }, + "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "903283518806229825" + } + }, + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Name space of the private DNS zone" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "Tags to be applied to resources" + } + }, + "virtualNetworkResourceId": { + "type": "string", + "metadata": { + "description": "Virtual network resource ID to link private DNS zone to" + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "Global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", + "location": "Global", + "tags": "[parameters('tags')]", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('virtualNetworkResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" + ] + }, + { + "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureCloud'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Private-DNS-Comm-Kv-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateDnsZoneName": { + "value": "privatelink.vaultcore.azure.net" + }, + "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "903283518806229825" + } + }, + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Name space of the private DNS zone" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "Tags to be applied to resources" + } + }, + "virtualNetworkResourceId": { + "type": "string", + "metadata": { + "description": "Virtual network resource ID to link private DNS zone to" + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "Global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", + "location": "Global", + "tags": "[parameters('tags')]", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('virtualNetworkResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" + ] + }, + { + "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureUSGovernment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Private-DNS-Gov-Files-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateDnsZoneName": { + "value": "privatelink.file.core.usgovcloudapi.net" + }, + "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "903283518806229825" + } + }, + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Name space of the private DNS zone" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "Tags to be applied to resources" + } + }, + "virtualNetworkResourceId": { + "type": "string", + "metadata": { + "description": "Virtual network resource ID to link private DNS zone to" + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "Global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", + "location": "Global", + "tags": "[parameters('tags')]", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('virtualNetworkResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" + ] + }, + { + "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureUSGovernment'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Private-DNS-Gov-Kv-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "privateDnsZoneName": { + "value": "privatelink.vaultcore.usgovcloudapi.net" + }, + "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "903283518806229825" + } + }, + "parameters": { + "privateDnsZoneName": { + "type": "string", + "metadata": { + "description": "Name space of the private DNS zone" + } + }, + "tags": { + "type": "object", + "metadata": { + "description": "Tags to be applied to resources" + } + }, + "virtualNetworkResourceId": { + "type": "string", + "metadata": { + "description": "Virtual network resource ID to link private DNS zone to" + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/privateDnsZones", + "apiVersion": "2020-06-01", + "name": "[parameters('privateDnsZoneName')]", + "location": "Global", + "tags": "[parameters('tags')]" + }, + { + "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", + "apiVersion": "2020-06-01", + "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", + "location": "Global", + "tags": "[parameters('tags')]", + "properties": { + "registrationEnabled": false, + "virtualNetwork": { + "id": "[parameters('virtualNetworkResourceId')]" + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" + ] + }, + { + "condition": "[parameters('deployAvdFirewall')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Fw-Policy-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', variables('varExistingHubSubId'))]", + "resourceGroup": "[format('{0}', variables('varExistingHubSubRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('firewallPolicyName')]" + }, + "enableProxy": { + "value": true + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "4407823163253500708" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Firewall Policy." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the Firewall policy resource." + } + }, + "systemAssignedIdentity": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedIdentities": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. The ID(s) to assign to the resource." + } + }, + "basePolicyResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the base policy." + } + }, + "enableProxy": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Enable DNS Proxy on Firewalls attached to the Firewall Policy." + } + }, + "servers": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of Custom DNS Servers." + } + }, + "insightsIsEnabled": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A flag to indicate if the insights are enabled on the policy." + } + }, + "defaultWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Default Log Analytics Resource ID for Firewall Policy Insights." + } + }, + "workspaces": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of workspaces for Firewall Policy Insights." + } + }, + "retentionDays": { + "type": "int", + "defaultValue": 365, + "metadata": { + "description": "Optional. Number of days the insights should be enabled on the policy." + } + }, + "bypassTrafficSettings": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of rules for traffic to bypass." + } + }, + "signatureOverrides": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of specific signatures states." + } + }, + "mode": { + "type": "string", + "defaultValue": "Off", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ], + "metadata": { + "description": "Optional. The configuring of intrusion detection." + } + }, + "tier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Premium", + "Standard" + ], + "metadata": { + "description": "Optional. Tier of Firewall Policy." + } + }, + "privateRanges": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of private IP addresses/IP address ranges to not be SNAT." + } + }, + "autoLearnPrivateRanges": { + "type": "string", + "defaultValue": "Disabled", + "allowedValues": [ + "Disabled", + "Enabled" + ], + "metadata": { + "description": "Optional. The operation mode for automatically learning private ranges to not be SNAT." + } + }, + "threatIntelMode": { + "type": "string", + "defaultValue": "Off", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ], + "metadata": { + "description": "Optional. The operation mode for Threat Intel." + } + }, + "allowSqlRedirect": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. A flag to indicate if SQL Redirect traffic filtering is enabled. Turning on the flag requires no rule using port 11000-11999." + } + }, + "fqdns": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of FQDNs for the ThreatIntel Allowlist." + } + }, + "ipAddresses": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of IP addresses for the ThreatIntel Allowlist." + } + }, + "keyVaultSecretId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Secret ID of (base-64 encoded unencrypted PFX) Secret or Certificate object stored in KeyVault." + } + }, + "certificateName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the CA certificate." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "ruleCollectionGroups": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Rule collection groups." + } + } + }, + "variables": { + "identityType": "[if(parameters('systemAssignedIdentity'), if(not(empty(parameters('userAssignedIdentities'))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(parameters('userAssignedIdentities'))), 'UserAssigned', 'None'))]", + "identity": "[if(not(equals(variables('identityType'), 'None')), createObject('type', variables('identityType'), 'userAssignedIdentities', if(not(empty(parameters('userAssignedIdentities'))), parameters('userAssignedIdentities'), null())), null())]", + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/firewallPolicies", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": "[variables('identity')]", + "properties": { + "basePolicy": "[if(not(empty(parameters('basePolicyResourceId'))), createObject('id', parameters('basePolicyResourceId')), null())]", + "dnsSettings": "[if(parameters('enableProxy'), createObject('enableProxy', parameters('enableProxy'), 'servers', parameters('servers')), null())]", + "insights": "[if(parameters('insightsIsEnabled'), createObject('isEnabled', parameters('insightsIsEnabled'), 'logAnalyticsResources', createObject('defaultWorkspaceId', createObject('id', if(not(empty(parameters('defaultWorkspaceId'))), parameters('defaultWorkspaceId'), null())), 'workspaces', if(not(empty(parameters('workspaces'))), parameters('workspaces'), null())), 'retentionDays', parameters('retentionDays')), null())]", + "intrusionDetection": "[if(not(equals(parameters('mode'), 'Off')), createObject('configuration', createObject('bypassTrafficSettings', if(not(empty(parameters('bypassTrafficSettings'))), parameters('bypassTrafficSettings'), null()), 'signatureOverrides', if(not(empty(parameters('signatureOverrides'))), parameters('signatureOverrides'), null())), 'mode', parameters('mode')), null())]", + "sku": { + "tier": "[parameters('tier')]" + }, + "snat": "[if(not(empty(parameters('privateRanges'))), createObject('autoLearnPrivateRanges', parameters('autoLearnPrivateRanges'), 'privateRanges', parameters('privateRanges')), null())]", + "sql": { + "allowSqlRedirect": "[parameters('allowSqlRedirect')]" + }, + "threatIntelMode": "[parameters('threatIntelMode')]", + "threatIntelWhitelist": { + "fqdns": "[parameters('fqdns')]", + "ipAddresses": "[parameters('ipAddresses')]" + }, + "transportSecurity": "[if(or(not(empty(parameters('keyVaultSecretId'))), not(empty(parameters('certificateName')))), createObject('certificateAuthority', createObject('keyVaultSecretId', if(not(empty(parameters('keyVaultSecretId'))), parameters('keyVaultSecretId'), null()), 'name', if(not(empty(parameters('certificateName'))), parameters('certificateName'), null()))), null())]" + } + }, + { + "copy": { + "name": "firewallPolicy_ruleCollectionGroups", + "count": "[length(parameters('ruleCollectionGroups'))]", + "mode": "serial", + "batchSize": 1 + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-firewallPolicy_ruleCollectionGroups-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "firewallPolicyName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[parameters('ruleCollectionGroups')[copyIndex()].name]" + }, + "priority": { + "value": "[parameters('ruleCollectionGroups')[copyIndex()].priority]" + }, + "ruleCollections": { + "value": "[parameters('ruleCollectionGroups')[copyIndex()].ruleCollections]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "2968908276504673942" + } + }, + "parameters": { + "firewallPolicyName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection group to deploy." + } + }, + "priority": { + "type": "int", + "metadata": { + "description": "Required. Priority of the Firewall Policy Rule Collection Group resource." + } + }, + "ruleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Group of Firewall Policy rule collections." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), parameters('name'))]", + "properties": { + "priority": "[parameters('priority')]", + "ruleCollections": "[parameters('ruleCollections')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule collection group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule collection group." + }, + "value": "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed rule collection group." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/firewallPolicies', parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed firewall policy." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed firewall policy." + }, + "value": "[resourceId('Microsoft.Network/firewallPolicies', parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed firewall policy." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/firewallPolicies', parameters('name')), '2022-07-01', 'full').location]" + } + } + } + } + }, + { + "condition": "[parameters('deployAvdFirewall')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Fw-Policy-Rcg-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', variables('varExistingHubSubId'))]", + "resourceGroup": "[format('{0}', variables('varExistingHubSubRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('firewallPolicyRuleCollectionGroupName')]" + }, + "firewallPolicyName": { + "value": "[parameters('firewallPolicyName')]" + }, + "priority": { + "value": 100 + }, + "ruleCollections": { + "value": [ + { + "name": "[parameters('firewallPolicyNetworkRuleCollectionName')]", + "priority": 100, + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "Auth to Msft Online Services", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "login.microsoftonline.com" + ], + "destinationPorts": [ + "443" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Service Traffic", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "WindowsVirtualDesktop", + "AzureFrontDoor.Frontend", + "AzureMonitor" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "443" + ] + }, + { + "ruleType": "NetworkRule", + "name": "DNS Traffic", + "ipProtocols": [ + "TCP", + "UDP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "*" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "53" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Azure Windows Activation", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "20.118.99.224", + "40.83.235.53" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "1688" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Windows Activation", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [ + "23.102.135.246" + ], + "destinationIpGroups": [], + "destinationFqdns": [], + "destinationPorts": [ + "1688" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Agent and SxS Stack Updates", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "mrsglobalsteus2prod.blob.core.windows.net" + ], + "destinationPorts": [ + "443" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Azure Portal Support", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "wvdportalstorageblob.blob.core.windows.net" + ], + "destinationPorts": [ + "443" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Cert CRL OneOCSP", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "oneocsp.microsoft.com" + ], + "destinationPorts": [ + "80" + ] + }, + { + "ruleType": "NetworkRule", + "name": "Cert CRL MicrosoftDotCom", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "www.microsoft.com" + ], + "destinationPorts": [ + "80" + ] + } + ] + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "2968908276504673942" + } + }, + "parameters": { + "firewallPolicyName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection group to deploy." + } + }, + "priority": { + "type": "int", + "metadata": { + "description": "Required. Priority of the Firewall Policy Rule Collection Group resource." + } + }, + "ruleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Group of Firewall Policy rule collections." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), parameters('name'))]", + "properties": { + "priority": "[parameters('priority')]", + "ruleCollections": "[parameters('ruleCollections')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule collection group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule collection group." + }, + "value": "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed rule collection group." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Policy-{0}', parameters('time')))]" + ] + }, + { + "condition": "[parameters('deployAvdFirewall')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Fw-Policy-Rcg-Optional-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', variables('varExistingHubSubId'))]", + "resourceGroup": "[format('{0}', variables('varExistingHubSubRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('firewallPolicyOptionalRuleCollectionGroupName')]" + }, + "firewallPolicyName": { + "value": "[parameters('firewallPolicyName')]" + }, + "priority": { + "value": 200 + }, + "ruleCollections": { + "value": [ + { + "name": "[parameters('firewallPolicyOptionalNetworkRuleCollectionName')]", + "priority": 100, + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "NetworkRule", + "name": "NTP", + "ipProtocols": [ + "UDP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "time.windows.com" + ], + "destinationPorts": [ + "123" + ] + }, + { + "ruleType": "NetworkRule", + "name": "SigninToMSOL365", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "login.windows.net" + ], + "destinationPorts": [ + "443" + ] + }, + { + "ruleType": "NetworkRule", + "name": "DetectOSconnectedToInternet", + "ipProtocols": [ + "TCP" + ], + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "sourceIpGroups": [], + "destinationAddresses": [], + "destinationIpGroups": [], + "destinationFqdns": [ + "www.msftconnecttest.com" + ], + "destinationPorts": [ + "443" + ] + } + ] + }, + { + "name": "[parameters('firewallPolicyOptionalApplicationRuleCollectionName')]", + "priority": 200, + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "action": { + "type": "Allow" + }, + "rules": [ + { + "ruleType": "ApplicationRule", + "name": "UpdatesforOneDrive", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [ + "WindowsUpdate", + "WindowsDiagnostic", + "MicrosoftActiveProtectionService" + ], + "webCategories": [], + "targetFqdns": [], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + }, + { + "ruleType": "ApplicationRule", + "name": "TelemetryService", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.events.data.microsoft.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + }, + { + "ruleType": "ApplicationRule", + "name": "Windows Update", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.sfx.ms" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + }, + { + "ruleType": "ApplicationRule", + "name": "DigitcertCRL", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.digicert.com" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + }, + { + "ruleType": "ApplicationRule", + "name": "AzureDNSResolution", + "protocols": [ + { + "protocolType": "Https", + "port": 443 + } + ], + "fqdnTags": [], + "webCategories": [], + "targetFqdns": [ + "*.azure-dns.com", + "*.azure-dns.net" + ], + "targetUrls": [], + "terminateTLS": false, + "sourceAddresses": [ + "[parameters('vnetAvdSubnetAddressPrefix')]" + ], + "destinationAddresses": [], + "sourceIpGroups": [], + "httpHeadersToInsert": [] + } + ] + } + ] + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "2968908276504673942" + } + }, + "parameters": { + "firewallPolicyName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Firewall Policy. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection group to deploy." + } + }, + "priority": { + "type": "int", + "metadata": { + "description": "Required. Priority of the Firewall Policy Rule Collection Group resource." + } + }, + "ruleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Group of Firewall Policy rule collections." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/firewallPolicies/ruleCollectionGroups", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('firewallPolicyName'), parameters('name'))]", + "properties": { + "priority": "[parameters('priority')]", + "ruleCollections": "[parameters('ruleCollections')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule collection group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule collection group." + }, + "value": "[resourceId('Microsoft.Network/firewallPolicies/ruleCollectionGroups', parameters('firewallPolicyName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group of the deployed rule collection group." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Policy-Rcg-{0}', parameters('time')))]" + ] + }, + { + "condition": "[parameters('deployAvdFirewall')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Fw-Subnet-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', variables('varExistingHubSubId'))]", + "resourceGroup": "[format('{0}', variables('varExistingHubSubRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "addressPrefix": { + "value": "[parameters('firewallSubnetAddressPrefix')]" + }, + "name": { + "value": "AzureFirewallSubnet" + }, + "virtualNetworkName": { + "value": "[variables('varExistingHubVnetName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "4385347612687619252" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Optional. The Name of the subnet resource." + } + }, + "virtualNetworkName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent virtual network. Required if the template is used in a standalone deployment." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. The address prefix for the subnet." + } + }, + "networkSecurityGroupId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource ID of the network security group to assign to the subnet." + } + }, + "routeTableId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource ID of the route table to assign to the subnet." + } + }, + "serviceEndpoints": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The service endpoints to enable on the subnet." + } + }, + "delegations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. The delegations to enable on the subnet." + } + }, + "natGatewayId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The resource ID of the NAT Gateway to use for the subnet." + } + }, + "privateEndpointNetworkPolicies": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Disabled", + "Enabled", + "" + ], + "metadata": { + "description": "Optional. enable or disable apply network policies on private endpoint in the subnet." + } + }, + "privateLinkServiceNetworkPolicies": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "Disabled", + "Enabled", + "" + ], + "metadata": { + "description": "Optional. enable or disable apply network policies on private link service in the subnet." + } + }, + "addressPrefixes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. List of address prefixes for the subnet." + } + }, + "applicationGatewayIpConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Application gateway IP configurations of virtual network resource." + } + }, + "ipAllocations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of IpAllocation which reference this subnet." + } + }, + "serviceEndpointPolicies": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. An array of service endpoint policies." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/virtualNetworks/subnets", + "apiVersion": "2022-07-01", + "name": "[format('{0}/{1}', parameters('virtualNetworkName'), parameters('name'))]", + "properties": { + "addressPrefix": "[parameters('addressPrefix')]", + "networkSecurityGroup": "[if(not(empty(parameters('networkSecurityGroupId'))), createObject('id', parameters('networkSecurityGroupId')), null())]", + "routeTable": "[if(not(empty(parameters('routeTableId'))), createObject('id', parameters('routeTableId')), null())]", + "natGateway": "[if(not(empty(parameters('natGatewayId'))), createObject('id', parameters('natGatewayId')), null())]", + "serviceEndpoints": "[parameters('serviceEndpoints')]", + "delegations": "[parameters('delegations')]", + "privateEndpointNetworkPolicies": "[if(not(empty(parameters('privateEndpointNetworkPolicies'))), parameters('privateEndpointNetworkPolicies'), null())]", + "privateLinkServiceNetworkPolicies": "[if(not(empty(parameters('privateLinkServiceNetworkPolicies'))), parameters('privateLinkServiceNetworkPolicies'), null())]", + "addressPrefixes": "[parameters('addressPrefixes')]", + "applicationGatewayIpConfigurations": "[parameters('applicationGatewayIpConfigurations')]", + "ipAllocations": "[parameters('ipAllocations')]", + "serviceEndpointPolicies": "[parameters('serviceEndpointPolicies')]" + } + }, + { + "copy": { + "name": "subnet_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Subnet-Rbac-{1}', uniqueString(deployment().name, resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "15642916335871461785" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/virtualNetworks/{0}/subnets/{1}', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1])]", + "name": "[guid(resourceId('Microsoft.Network/virtualNetworks/subnets', split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[0], split(format('{0}/{1}', split(parameters('resourceId'), '/')[8], split(parameters('resourceId'), '/')[10]), '/')[1]), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" + ] + } + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the virtual network peering was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the virtual network peering." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the virtual network peering." + }, + "value": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name'))]" + }, + "subnetAddressPrefix": { + "type": "string", + "metadata": { + "description": "The address prefix for the subnet." + }, + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2022-07-01').addressPrefix]" + }, + "subnetAddressPrefixes": { + "type": "array", + "metadata": { + "description": "List of address prefixes for the subnet." + }, + "value": "[if(not(empty(parameters('addressPrefixes'))), reference(resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('virtualNetworkName'), parameters('name')), '2022-07-01').addressPrefixes, createArray())]" + } + } + } + } + }, + { + "condition": "[parameters('deployAvdFirewall')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Fw-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', variables('varExistingHubSubId'))]", + "resourceGroup": "[format('{0}', variables('varExistingHubSubRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('firewallName')]" + }, + "vNetId": { + "value": "[parameters('existingHubVnetResourceId')]" + }, + "firewallPolicyId": { + "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Policy-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "2960346647454834982" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name of the Azure Firewall." + } + }, + "azureSkuTier": { + "type": "string", + "defaultValue": "Standard", + "allowedValues": [ + "Standard", + "Premium" + ], + "metadata": { + "description": "Optional. Tier of an Azure Firewall." + } + }, + "vNetId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. Shared services Virtual Network resource ID. The virtual network ID containing AzureFirewallSubnet. If a Public IP is not provided, then the Public IP that is created as part of this module will be applied with the subnet provided in this variable. Required if `virtualHubId` is empty." + } + }, + "publicIPResourceID": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Public IP resource ID to associate to the AzureFirewallSubnet. If empty, then the Public IP that is created as part of this module will be applied to the AzureFirewallSubnet." + } + }, + "additionalPublicIpConfigurations": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. This is to add any additional Public IP configurations on top of the Public IP with subnet IP configuration." + } + }, + "isCreateDefaultPublicIP": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Specifies if a Public IP should be created by default if one is not provided." + } + }, + "publicIPAddressObject": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Specifies the properties of the Public IP to create and be used by Azure Firewall. If it's not provided and publicIPAddressId is empty, a '-pip' suffix will be appended to the Firewall's name." + } + }, + "applicationRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of application rule collections used by Azure Firewall." + } + }, + "networkRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of network rule collections used by Azure Firewall." + } + }, + "natRuleCollections": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Collection of NAT rule collections used by Azure Firewall." + } + }, + "firewallPolicyId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the Firewall Policy that should be attached." + } + }, + "hubIPAddresses": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Conditional. IP addresses associated with AzureFirewall. Required if `virtualHubId` is supplied." + } + }, + "virtualHubId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. The virtualHub resource ID to which the firewall belongs. Required if `vNetId` is empty." + } + }, + "threatIntelMode": { + "type": "string", + "defaultValue": "Deny", + "allowedValues": [ + "Alert", + "Deny", + "Off" + ], + "metadata": { + "description": "Optional. The operation mode for Threat Intel." + } + }, + "zones": { + "type": "array", + "defaultValue": [ + "1", + "2", + "3" + ], + "metadata": { + "description": "Optional. Zone numbers e.g. 1,2,3." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Diagnostic Storage Account resource identifier." + } + }, + "diagnosticWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Log Analytics workspace resource identifier." + } + }, + "diagnosticLogsRetentionInDays": { + "type": "int", + "defaultValue": 365, + "minValue": 0, + "maxValue": 365, + "metadata": { + "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." + } + }, + "diagnosticEventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "diagnosticEventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lock": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the Azure Firewall resource." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "diagnosticLogCategoriesToEnable": { + "type": "array", + "defaultValue": [ + "allLogs" + ], + "allowedValues": [ + "allLogs", + "AzureFirewallApplicationRule", + "AzureFirewallNetworkRule", + "AzureFirewallDnsProxy" + ], + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource." + } + }, + "diagnosticMetricsToEnable": { + "type": "array", + "defaultValue": [ + "AllMetrics" + ], + "allowedValues": [ + "AllMetrics" + ], + "metadata": { + "description": "Optional. The name of metrics that will be streamed." + } + }, + "diagnosticSettingsName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + } + } + }, + "variables": { + "copy": [ + { + "name": "additionalPublicIpConfigurationsVar", + "count": "[length(parameters('additionalPublicIpConfigurations'))]", + "input": { + "name": "[parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')].name]", + "properties": { + "publicIPAddress": "[if(contains(parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')], 'publicIPAddressResourceId'), createObject('id', parameters('additionalPublicIpConfigurations')[copyIndex('additionalPublicIpConfigurationsVar')].publicIPAddressResourceId), null())]" + } + } + }, + { + "name": "diagnosticsLogsSpecified", + "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs')))))]", + "input": { + "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs'))))[copyIndex('diagnosticsLogsSpecified')]]", + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + }, + { + "name": "diagnosticsMetrics", + "count": "[length(parameters('diagnosticMetricsToEnable'))]", + "input": { + "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", + "timeGrain": null, + "enabled": true, + "retentionPolicy": { + "enabled": true, + "days": "[parameters('diagnosticLogsRetentionInDays')]" + } + } + } + ], + "subnetVar": { + "subnet": { + "id": "[format('{0}/subnets/AzureFirewallSubnet', parameters('vNetId'))]" + } + }, + "existingPip": { + "publicIPAddress": { + "id": "[parameters('publicIPResourceID')]" + } + }, + "azureSkuName": "[if(empty(parameters('vNetId')), 'AZFW_Hub', 'AZFW_VNet')]", + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true(), 'retentionPolicy', createObject('enabled', true(), 'days', parameters('diagnosticLogsRetentionInDays')))), variables('diagnosticsLogsSpecified'))]", + "enableReferencedModulesTelemetry": false + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/azureFirewalls", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "zones": "[if(equals(length(parameters('zones')), 0), null(), parameters('zones'))]", + "tags": "[parameters('tags')]", + "properties": "[if(equals(variables('azureSkuName'), 'AZFW_VNet'), createObject('threatIntelMode', parameters('threatIntelMode'), 'firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'ipConfigurations', concat(createArray(createObject('name', if(not(empty(parameters('publicIPResourceID'))), last(split(parameters('publicIPResourceID'), '/')), reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.name.value), 'properties', union(variables('subnetVar'), if(not(empty(parameters('publicIPResourceID'))), variables('existingPip'), createObject()), if(parameters('isCreateDefaultPublicIP'), createObject('publicIPAddress', if(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), createObject('id', reference(resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))), '2022-09-01').outputs.resourceId.value), null())), createObject())))), variables('additionalPublicIpConfigurationsVar')), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'applicationRuleCollections', parameters('applicationRuleCollections'), 'natRuleCollections', parameters('natRuleCollections'), 'networkRuleCollections', parameters('networkRuleCollections')), createObject('firewallPolicy', if(not(empty(parameters('firewallPolicyId'))), createObject('id', parameters('firewallPolicyId')), null()), 'sku', createObject('name', variables('azureSkuName'), 'tier', parameters('azureSkuTier')), 'hubIPAddresses', if(not(empty(parameters('hubIPAddresses'))), parameters('hubIPAddresses'), null()), 'virtualHub', if(not(empty(parameters('virtualHubId'))), createObject('id', parameters('virtualHubId')), null())))]", + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location'))))]" + ] + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + ] + }, + { + "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', parameters('name'))]", + "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", + "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", + "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", + "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", + "metrics": "[variables('diagnosticsMetrics')]", + "logs": "[variables('diagnosticsLogs')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + ] + }, + { + "condition": "[and(and(empty(parameters('publicIPResourceID')), parameters('isCreateDefaultPublicIP')), equals(variables('azureSkuName'), 'AZFW_VNet'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-Firewall-PIP', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": "[if(contains(parameters('publicIPAddressObject'), 'name'), if(not(empty(parameters('publicIPAddressObject').name)), createObject('value', parameters('publicIPAddressObject').name), createObject('value', format('{0}-pip', parameters('name')))), createObject('value', format('{0}-pip', parameters('name'))))]", + "publicIPPrefixResourceId": "[if(contains(parameters('publicIPAddressObject'), 'publicIPPrefixResourceId'), if(not(empty(parameters('publicIPAddressObject').publicIPPrefixResourceId)), createObject('value', parameters('publicIPAddressObject').publicIPPrefixResourceId), createObject('value', '')), createObject('value', ''))]", + "publicIPAllocationMethod": "[if(contains(parameters('publicIPAddressObject'), 'publicIPAllocationMethod'), if(not(empty(parameters('publicIPAddressObject').publicIPAllocationMethod)), createObject('value', parameters('publicIPAddressObject').publicIPAllocationMethod), createObject('value', 'Static')), createObject('value', 'Static'))]", + "skuName": "[if(contains(parameters('publicIPAddressObject'), 'skuName'), if(not(empty(parameters('publicIPAddressObject').skuName)), createObject('value', parameters('publicIPAddressObject').skuName), createObject('value', 'Standard')), createObject('value', 'Standard'))]", + "skuTier": "[if(contains(parameters('publicIPAddressObject'), 'skuTier'), if(not(empty(parameters('publicIPAddressObject').skuTier)), createObject('value', parameters('publicIPAddressObject').skuTier), createObject('value', 'Regional')), createObject('value', 'Regional'))]", + "roleAssignments": "[if(contains(parameters('publicIPAddressObject'), 'roleAssignments'), if(not(empty(parameters('publicIPAddressObject').roleAssignments)), createObject('value', parameters('publicIPAddressObject').roleAssignments), createObject('value', createArray())), createObject('value', createArray()))]", + "diagnosticMetricsToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticMetricsToEnable'), if(not(empty(parameters('publicIPAddressObject').diagnosticMetricsToEnable)), createObject('value', parameters('publicIPAddressObject').diagnosticMetricsToEnable), createObject('value', createArray('AllMetrics'))), createObject('value', createArray('AllMetrics')))]", + "diagnosticLogCategoriesToEnable": "[if(contains(parameters('publicIPAddressObject'), 'diagnosticLogCategoriesToEnable'), createObject('value', parameters('publicIPAddressObject').diagnosticLogCategoriesToEnable), createObject('value', createArray('allLogs')))]", + "location": { + "value": "[parameters('location')]" + }, + "diagnosticStorageAccountId": { + "value": "[parameters('diagnosticStorageAccountId')]" + }, + "diagnosticWorkspaceId": { + "value": "[parameters('diagnosticWorkspaceId')]" + }, + "diagnosticEventHubAuthorizationRuleId": { + "value": "[parameters('diagnosticEventHubAuthorizationRuleId')]" + }, + "diagnosticEventHubName": { + "value": "[parameters('diagnosticEventHubName')]" + }, + "lock": { + "value": "[parameters('lock')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "zones": { + "value": "[parameters('zones')]" + }, + "enableDefaultTelemetry": { + "value": "[variables('enableReferencedModulesTelemetry')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "1998504441889364515" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the Public IP Address." + } + }, + "publicIPPrefixResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the Public IP Prefix object. This is only needed if you want your Public IPs created in a PIP Prefix." + } + }, + "publicIPAllocationMethod": { + "type": "string", + "defaultValue": "Dynamic", + "allowedValues": [ + "Dynamic", + "Static" + ], + "metadata": { + "description": "Optional. The public IP address allocation method." + } + }, + "skuName": { + "type": "string", + "defaultValue": "Basic", + "allowedValues": [ + "Basic", + "Standard" + ], + "metadata": { + "description": "Optional. Name of a public IP address SKU." + } + }, + "skuTier": { + "type": "string", + "defaultValue": "Regional", + "allowedValues": [ + "Global", + "Regional" + ], + "metadata": { + "description": "Optional. Tier of a public IP address SKU." + } + }, + "zones": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. A list of availability zones denoting the IP allocated for the resource needs to come from." + } + }, + "publicIPAddressVersion": { + "type": "string", + "defaultValue": "IPv4", + "allowedValues": [ + "IPv4", + "IPv6" + ], + "metadata": { + "description": "Optional. IP address version." + } + }, + "diagnosticStorageAccountId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account." + } + }, + "diagnosticWorkspaceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace." + } + }, + "diagnosticEventHubAuthorizationRuleId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "diagnosticEventHubName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category." + } + }, + "domainNameLabel": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The domain name label. The concatenation of the domain name label and the regionalized DNS zone make up the fully qualified domain name associated with the public IP address. If a domain name label is specified, an A DNS record is created for the public IP in the Microsoft Azure DNS system." + } + }, + "fqdn": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The Fully Qualified Domain Name of the A DNS record associated with the public IP. This is the concatenation of the domainNameLabel and the regionalized DNS zone." + } + }, + "reverseFqdn": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The reverse FQDN. A user-visible, fully qualified domain name that resolves to this public IP address. If the reverseFqdn is specified, then a PTR DNS record is created pointing from the IP address in the in-addr.arpa domain to the reverse FQDN." + } + }, + "lock": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "diagnosticLogCategoriesToEnable": { + "type": "array", + "defaultValue": [ + "allLogs" + ], + "allowedValues": [ + "allLogs", + "DDoSProtectionNotifications", + "DDoSMitigationFlowLogs", + "DDoSMitigationReports" + ], + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource." + } + }, + "diagnosticMetricsToEnable": { + "type": "array", + "defaultValue": [ + "AllMetrics" + ], + "allowedValues": [ + "AllMetrics" + ], + "metadata": { + "description": "Optional. The name of metrics that will be streamed." + } + }, + "diagnosticSettingsName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the diagnostic setting, if deployed. If left empty, it defaults to \"-diagnosticSettings\"." + } + } + }, + "variables": { + "copy": [ + { + "name": "diagnosticsLogsSpecified", + "count": "[length(filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs')))))]", + "input": { + "category": "[filter(parameters('diagnosticLogCategoriesToEnable'), lambda('item', not(equals(lambdaVariables('item'), 'allLogs'))))[copyIndex('diagnosticsLogsSpecified')]]", + "enabled": true + } + }, + { + "name": "diagnosticsMetrics", + "count": "[length(parameters('diagnosticMetricsToEnable'))]", + "input": { + "category": "[parameters('diagnosticMetricsToEnable')[copyIndex('diagnosticsMetrics')]]", + "timeGrain": null, + "enabled": true + } + } + ], + "diagnosticsLogs": "[if(contains(parameters('diagnosticLogCategoriesToEnable'), 'allLogs'), createArray(createObject('categoryGroup', 'allLogs', 'enabled', true())), variables('diagnosticsLogsSpecified'))]" + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/publicIPAddresses", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "sku": { + "name": "[parameters('skuName')]", + "tier": "[parameters('skuTier')]" + }, + "zones": "[parameters('zones')]", + "properties": { + "dnsSettings": "[if(not(empty(parameters('domainNameLabel'))), createObject('domainNameLabel', parameters('domainNameLabel'), 'fqdn', parameters('fqdn'), 'reverseFqdn', parameters('reverseFqdn')), null())]", + "publicIPAddressVersion": "[parameters('publicIPAddressVersion')]", + "publicIPAllocationMethod": "[parameters('publicIPAllocationMethod')]", + "publicIPPrefix": "[if(not(empty(parameters('publicIPPrefixResourceId'))), createObject('id', parameters('publicIPPrefixResourceId')), null())]", + "idleTimeoutInMinutes": 4, + "ipTags": [] + } + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + ] + }, + { + "condition": "[or(or(or(not(empty(parameters('diagnosticStorageAccountId'))), not(empty(parameters('diagnosticWorkspaceId')))), not(empty(parameters('diagnosticEventHubAuthorizationRuleId')))), not(empty(parameters('diagnosticEventHubName'))))]", + "type": "Microsoft.Insights/diagnosticSettings", + "apiVersion": "2021-05-01-preview", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', parameters('name'))]", + "name": "[if(not(empty(parameters('diagnosticSettingsName'))), parameters('diagnosticSettingsName'), format('{0}-diagnosticSettings', parameters('name')))]", + "properties": { + "storageAccountId": "[if(not(empty(parameters('diagnosticStorageAccountId'))), parameters('diagnosticStorageAccountId'), null())]", + "workspaceId": "[if(not(empty(parameters('diagnosticWorkspaceId'))), parameters('diagnosticWorkspaceId'), null())]", + "eventHubAuthorizationRuleId": "[if(not(empty(parameters('diagnosticEventHubAuthorizationRuleId'))), parameters('diagnosticEventHubAuthorizationRuleId'), null())]", + "eventHubName": "[if(not(empty(parameters('diagnosticEventHubName'))), parameters('diagnosticEventHubName'), null())]", + "metrics": "[variables('diagnosticsMetrics')]", + "logs": "[variables('diagnosticsLogs')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + ] + }, + { + "copy": { + "name": "publicIpAddress_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-PIPAddress-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "7328126239184883887" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/publicIPAddresses/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/publicIPAddresses', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the public IP address was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the public IP address." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the public IP address." + }, + "value": "[resourceId('Microsoft.Network/publicIPAddresses', parameters('name'))]" + }, + "ipAddress": { + "type": "string", + "metadata": { + "description": "The public IP address of the public IP address resource." + }, + "value": "[if(contains(reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2022-07-01'), 'ipAddress'), reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2022-07-01').ipAddress, '')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/publicIPAddresses', parameters('name')), '2022-07-01', 'full').location]" + } + } + } + } + }, + { + "copy": { + "name": "azureFirewall_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-AzFW-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "4956524931122744714" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Avere Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4f8fab4f-1852-4a58-a46a-8eaf358af14a')]", + "Avere Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c025889f-8102-4ebf-b32c-fc0c6f0c6bd9')]", + "Azure Center for SAP solutions administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b0c7e81-271f-4c71-90bf-e30bdfdbc2f7')]", + "Azure Center for SAP solutions reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '05352d14-a920-4328-a0de-4cbe7430e26b')]", + "Azure Center for SAP solutions service role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'aabbc5dd-1af0-458b-a942-81af88f9c138')]", + "Azure Kubernetes Service Policy Add-on Deployment": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18ed5180-3e48-46fd-8541-4ea054d57064')]", + "Backup Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5e467623-bb1f-42f4-a55d-6e525e11384b')]", + "Backup Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00c29273-979b-4161-815c-10b084fb9324')]", + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Cosmos DB Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '230815da-be43-4aae-9cb4-875f7bd000aa')]", + "Desktop Virtualization Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a959dbd1-f747-45e3-8ba6-dd80f235f97c')]", + "DevTest Labs User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '76283e04-6283-4c54-8f91-bcf1374a3c64')]", + "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", + "DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'befefa01-2a29-4197-83a8-272ff33ce314')]", + "DocumentDB Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '5bd9cd88-fe45-4216-938b-f97437e15450')]", + "Domain Services Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'eeaeda52-9324-47f6-8069-5d5bade478b2')]", + "Domain Services Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '361898ef-9ed1-48c2-849c-a832951106bb')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "Site Recovery Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '6670b86e-a3f7-4917-ac9b-5d6ab1be4567')]", + "Site Recovery Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '494ae006-db33-4328-bf46-533a6560a3ca')]", + "SQL Managed Instance Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4939a1f6-9ae0-4e48-a1e0-f2cbe897382d')]", + "SQL Security Manager": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '056cd41c-7e88-42e1-933e-88ba6a50c9c3')]", + "Storage Account Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '17d1049b-9a84-46fb-8f53-869881c3d3ab')]", + "Traffic Manager Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a4b10055-b0c7-44c2-b00f-c7b5b3550cf7')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]", + "Virtual Machine Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '1c0163c0-47e6-4577-8991-ea5c82e286e4')]", + "Virtual Machine Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '9980e02c-c2be-4d73-94e8-173b1dc7cf3c')]", + "Virtual Machine User Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'fb879df8-f326-4884-b1cf-06f3ad86be52')]", + "Windows Admin Center Administrator Login": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a6333a3e-0164-44c3-b281-7a577aff287f')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/azureFirewalls/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/azureFirewalls', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + ] + } + ], + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Azure Firewall." + }, + "value": "[resourceId('Microsoft.Network/azureFirewalls', parameters('name'))]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the Azure Firewall." + }, + "value": "[parameters('name')]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the Azure firewall was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "privateIp": { + "type": "string", + "metadata": { + "description": "The private IP of the Azure firewall." + }, + "value": "[if(contains(reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2022-07-01'), 'ipConfigurations'), reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2022-07-01').ipConfigurations[0].properties.privateIPAddress, '')]" + }, + "ipConfAzureFirewallSubnet": { + "type": "object", + "metadata": { + "description": "The Public IP configuration object for the Azure Firewall Subnet." + }, + "value": "[if(contains(reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2022-07-01'), 'ipConfigurations'), reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2022-07-01').ipConfigurations[0], createObject())]" + }, + "applicationRuleCollections": { + "type": "array", + "metadata": { + "description": "List of Application Rule Collections." + }, + "value": "[parameters('applicationRuleCollections')]" + }, + "networkRuleCollections": { + "type": "array", + "metadata": { + "description": "List of Network Rule Collections." + }, + "value": "[parameters('networkRuleCollections')]" + }, + "natRuleCollections": { + "type": "array", + "metadata": { + "description": "Collection of NAT rule collections used by Azure Firewall." + }, + "value": "[parameters('natRuleCollections')]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." + }, + "value": "[reference(resourceId('Microsoft.Network/azureFirewalls', parameters('name')), '2022-07-01', 'full').location]" + } + } + } + }, + "dependsOn": [ + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Policy-{0}', parameters('time')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Policy-Rcg-Optional-{0}', parameters('time')))]", + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-Subnet-{0}', parameters('time')))]" + ] + }, + { + "condition": "[and(parameters('createVnet'), parameters('deployAvdFirewall'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('Route-Table-AVD-Fw-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", + "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('avdRouteTableName')]" + }, + "location": { + "value": "[parameters('sessionHostLocation')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "routes": "[if(variables('varCreateAvdStaicRoute'), createObject('value', createArray(createObject('name', 'default', 'properties', createObject('addressPrefix', '0.0.0.0/0', 'nextHopIpAddress', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-{0}', parameters('time'))), '2022-09-01').outputs.privateIp.value, 'nextHopType', 'VirtualAppliance')))), createObject('value', createArray()))]" + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "18134341385828267149" + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. Name given for the hub route table." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "routes": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. An Array of Routes to be established within the hub route table." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Switch to disable BGP route propagation." + } + }, + "lock": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.Network/routeTables", + "apiVersion": "2022-07-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "routes": "[parameters('routes')]", + "disableBgpRoutePropagation": "[parameters('disableBgpRoutePropagation')]" + } + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/routeTables/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" + ] + }, + { + "copy": { + "name": "routeTable_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RouteTable-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "15918129007023123856" } }, "parameters": { @@ -12374,8 +15867,8 @@ }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/virtualNetworks/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.Network/virtualNetworks', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "scope": "[format('Microsoft.Network/routeTables/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.Network/routeTables', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", "properties": { "description": "[parameters('description')]", "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", @@ -12390,7 +15883,7 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" + "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" ] } ], @@ -12398,418 +15891,36 @@ "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the virtual network was deployed into." + "description": "The resource group the route table was deployed into." }, "value": "[resourceGroup().name]" }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the virtual network." - }, - "value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('name'))]" - }, "name": { "type": "string", "metadata": { - "description": "The name of the virtual network." + "description": "The name of the route table." }, "value": "[parameters('name')]" }, - "subnetNames": { - "type": "array", - "metadata": { - "description": "The names of the deployed subnets." - }, - "copy": { - "count": "[length(parameters('subnets'))]", - "input": "[parameters('subnets')[copyIndex()].name]" - } - }, - "subnetResourceIds": { - "type": "array", - "metadata": { - "description": "The resource IDs of the deployed subnets." - }, - "copy": { - "count": "[length(parameters('subnets'))]", - "input": "[resourceId('Microsoft.Network/virtualNetworks/subnets', parameters('name'), parameters('subnets')[copyIndex()].name)]" - } - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', parameters('name')), '2022-07-01', 'full').location]" - }, - "diagnosticsLogs": { - "type": "array", - "metadata": { - "description": "The Diagnostic Settings of the virtual network." - }, - "value": "[variables('diagnosticsLogs')]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('NSG-AVD-{0}', parameters('time')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('NSG-Private-Endpoint-{0}', parameters('time')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('Route-Table-AVD-{0}', parameters('time')))]", - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('Route-Table-PE-{0}', parameters('time')))]" - ] - }, - { - "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureCloud'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Private-DNS-Comm-Files-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "privatelink.file.core.windows.net" - }, - "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9421903776734870810" - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Name space of the private DNS zone" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "Tags to be applied to resources" - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Virtual network resource ID to link private DNS zone to" - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]", - "location": "Global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", - "location": "Global", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - ] - } - ], - "outputs": { "resourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" - ] - }, - { - "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureCloud'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Private-DNS-Comm-Kv-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "privatelink.vaultcore.azure.net" - }, - "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9421903776734870810" - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Name space of the private DNS zone" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "Tags to be applied to resources" - } - }, - "virtualNetworkResourceId": { "type": "string", "metadata": { - "description": "Virtual network resource ID to link private DNS zone to" - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]", - "location": "Global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", - "location": "Global", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } - }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - ] - } - ], - "outputs": { - "resourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" - ] - }, - { - "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureUSGovernment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Private-DNS-Gov-Files-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "privatelink.file.core.usgovcloudapi.net" - }, - "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9421903776734870810" - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Name space of the private DNS zone" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "Tags to be applied to resources" - } - }, - "virtualNetworkResourceId": { - "type": "string", - "metadata": { - "description": "Virtual network resource ID to link private DNS zone to" - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]", - "location": "Global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", - "location": "Global", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } + "description": "The resource ID of the route table." }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - ] - } - ], - "outputs": { - "resourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - } - } - } - }, - "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" - ] - }, - { - "condition": "[and(parameters('createPrivateDnsZones'), equals(variables('varAzureCloudName'), 'AzureUSGovernment'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('Private-DNS-Gov-Kv-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('workloadSubsId'))]", - "resourceGroup": "[format('{0}', parameters('networkObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "privateDnsZoneName": { - "value": "privatelink.vaultcore.usgovcloudapi.net" - }, - "virtualNetworkResourceId": "[if(parameters('createVnet'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time'))), '2022-09-01').outputs.resourceId.value), createObject('value', variables('varExistingAvdVnetResourceId')))]", - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9421903776734870810" - } - }, - "parameters": { - "privateDnsZoneName": { - "type": "string", - "metadata": { - "description": "Name space of the private DNS zone" - } - }, - "tags": { - "type": "object", - "metadata": { - "description": "Tags to be applied to resources" - } + "value": "[resourceId('Microsoft.Network/routeTables', parameters('name'))]" }, - "virtualNetworkResourceId": { + "location": { "type": "string", "metadata": { - "description": "Virtual network resource ID to link private DNS zone to" - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/privateDnsZones", - "apiVersion": "2020-06-01", - "name": "[parameters('privateDnsZoneName')]", - "location": "Global", - "tags": "[parameters('tags')]" - }, - { - "type": "Microsoft.Network/privateDnsZones/virtualNetworkLinks", - "apiVersion": "2020-06-01", - "name": "[format('{0}/{1}', parameters('privateDnsZoneName'), format('{0}-vnetlink', last(split(parameters('virtualNetworkResourceId'), '/'))))]", - "location": "Global", - "tags": "[parameters('tags')]", - "properties": { - "registrationEnabled": false, - "virtualNetwork": { - "id": "[parameters('virtualNetworkResourceId')]" - } + "description": "The location the resource was deployed into." }, - "dependsOn": [ - "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" - ] - } - ], - "outputs": { - "resourceId": { - "type": "string", - "value": "[resourceId('Microsoft.Network/privateDnsZones', parameters('privateDnsZoneName'))]" + "value": "[reference(resourceId('Microsoft.Network/routeTables', parameters('name')), '2022-07-01', 'full').location]" } } } }, "dependsOn": [ - "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', parameters('workloadSubsId')), format('{0}', parameters('networkObjectsRgName'))), 'Microsoft.Resources/deployments', format('vNet-{0}', parameters('time')))]" + "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', format('{0}', variables('varExistingHubSubId')), format('{0}', variables('varExistingHubSubRgName'))), 'Microsoft.Resources/deployments', format('Fw-{0}', parameters('time')))]" ] } ], @@ -12933,8 +16044,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3669216872795545582" + "version": "0.21.1.54444", + "templateHash": "4247202091397558834" } }, "parameters": { @@ -13048,13 +16159,13 @@ }, "hostPoolType": { "type": "string", - "metadata": { - "description": "Optional. AVD host pool type." - }, "allowedValues": [ "Personal", "Pooled" - ] + ], + "metadata": { + "description": "Optional. AVD host pool type." + } }, "preferredAppGroupType": { "type": "string", @@ -13070,23 +16181,23 @@ }, "personalAssignType": { "type": "string", - "metadata": { - "description": "Optional. AVD host pool type." - }, "allowedValues": [ "Automatic", "Direct" - ] + ], + "metadata": { + "description": "Optional. AVD host pool type." + } }, "hostPoolLoadBalancerType": { "type": "string", - "metadata": { - "description": "AVD host pool load balacing type." - }, "allowedValues": [ "BreadthFirst", "DepthFirst" - ] + ], + "metadata": { + "description": "AVD host pool load balacing type." + } }, "hostPoolMaxSessions": { "type": "int", @@ -13218,8 +16329,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "14753481159691076868" + "version": "0.21.1.54444", + "templateHash": "13399704224502342582" } }, "parameters": { @@ -13359,14 +16470,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -13610,8 +16721,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2314964423044495570" + "version": "0.21.1.54444", + "templateHash": "15758203474913146406" } }, "parameters": { @@ -13828,8 +16939,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "782391975946165786" + "version": "0.21.1.54444", + "templateHash": "2132806116783886507" } }, "parameters": { @@ -13915,14 +17026,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -14081,8 +17192,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7203259033747042619" + "version": "0.21.1.54444", + "templateHash": "11635969849932067949" } }, "parameters": { @@ -14120,14 +17231,14 @@ "commandLineSetting": { "type": "string", "defaultValue": "DoNotAllow", - "metadata": { - "description": "Optional. Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all." - }, "allowedValues": [ "Allow", "DoNotAllow", "Require" - ] + ], + "metadata": { + "description": "Optional. Specifies whether this published application can be launched with command-line arguments provided by the client, command-line arguments specified at publish time, or no command-line arguments at all." + } }, "commandLineArguments": { "type": "string", @@ -14259,8 +17370,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1752140700494840741" + "version": "0.21.1.54444", + "templateHash": "9771114878684828045" } }, "parameters": { @@ -14466,8 +17577,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "324317554219687604" + "version": "0.21.1.54444", + "templateHash": "18405598736525966402" } }, "parameters": { @@ -14536,14 +17647,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -14695,8 +17806,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6421047844253253523" + "version": "0.21.1.54444", + "templateHash": "12071774351316031070" } }, "parameters": { @@ -14916,8 +18027,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17010593045994332917" + "version": "0.21.1.54444", + "templateHash": "2398896279200009074" } }, "parameters": { @@ -14959,12 +18070,12 @@ "hostPoolType": { "type": "string", "defaultValue": "Pooled", - "metadata": { - "description": "Optional. The type of hostpool where this scaling plan should be applied." - }, "allowedValues": [ "Pooled" - ] + ], + "metadata": { + "description": "Optional. The type of hostpool where this scaling plan should be applied." + } }, "exclusionTag": { "type": "string", @@ -15184,8 +18295,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12892308842611713996" + "version": "0.21.1.54444", + "templateHash": "5284850760210698082" } }, "parameters": { @@ -15421,8 +18532,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16001375654748927393" + "version": "0.21.1.54444", + "templateHash": "3253016444031789965" } }, "parameters": { @@ -15598,324 +18709,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "15136491551081535379" - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "[guid(resourceGroup().id)]", - "metadata": { - "description": "Optional. Name of the User Assigned Identity." - } - }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } - }, - "lock": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, - "allowedValues": [ - "", - "CanNotDelete", - "ReadOnly" - ] - }, - "roleAssignments": { - "type": "array", - "defaultValue": [], - "metadata": { - "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "tags": { - "type": "object", - "defaultValue": {}, - "metadata": { - "description": "Optional. Tags of the resource." - } - }, - "enableDefaultTelemetry": { - "type": "bool", - "defaultValue": true, - "metadata": { - "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." - } - } - }, - "resources": [ - { - "condition": "[parameters('enableDefaultTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2021-04-01", - "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [] - } - } - }, - { - "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2018-11-30", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]" - }, - { - "condition": "[not(empty(parameters('lock')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", - "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", - "properties": { - "level": "[parameters('lock')]", - "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - ] - }, - { - "copy": { - "name": "userMsi_roleAssignments", - "count": "[length(parameters('roleAssignments'))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-UserMSI-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", - "principalIds": { - "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" - }, - "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", - "roleDefinitionIdOrName": { - "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" - }, - "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", - "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", - "resourceId": { - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8490200634198428200" - } - }, - "parameters": { - "principalIds": { - "type": "array", - "metadata": { - "description": "Required. The IDs of the principals to assign the role to." - } - }, - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the resource to apply the role assignment to." - } - }, - "principalType": { - "type": "string", - "defaultValue": "", - "allowedValues": [ - "ServicePrincipal", - "Group", - "User", - "ForeignGroup", - "Device", - "" - ], - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "defaultValue": "2.0", - "allowedValues": [ - "2.0" - ], - "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Id of the delegated managed identity resource." - } - } - }, - "variables": { - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", - "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", - "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", - "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", - "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", - "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", - "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", - "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", - "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": [ - { - "copy": { - "name": "roleAssignment", - "count": "[length(parameters('principalIds'))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', last(split(parameters('resourceId'), '/')))]", - "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", - "properties": { - "description": "[parameters('description')]", - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", - "principalId": "[parameters('principalIds')[copyIndex()]]", - "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", - "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", - "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", - "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" - } - } - ] - } - }, - "dependsOn": [ - "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - ] - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the user assigned identity." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the user assigned identity." - }, - "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" - }, - "principalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the user assigned identity." - }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').principalId]" - }, - "clientId": { - "type": "string", - "metadata": { - "description": "The resource ID of the user assigned identity" - }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').clientId]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the user assigned identity was deployed into." - }, - "value": "[resourceGroup().name]" - }, - "location": { - "type": "string", - "metadata": { - "description": "The location the resource was deployed into." - }, - "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30', 'full').location]" - } - } - } - } - }, - { - "condition": "[or(parameters('createStorageDeployment'), parameters('createSessionHosts'))]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('MI-CleanUp-{0}', parameters('time'))]", - "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", - "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[parameters('cleanUpManagedIdentityName')]" - }, - "location": { - "value": "[parameters('location')]" - }, - "tags": { - "value": "[parameters('tags')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "15136491551081535379" + "version": "0.21.1.54444", + "templateHash": "7754983815852819350" } }, "parameters": { @@ -15936,14 +18731,330 @@ "lock": { "type": "string", "defaultValue": "", + "allowedValues": [ + "", + "CanNotDelete", + "ReadOnly" + ], "metadata": { "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "defaultValue": [], + "metadata": { + "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "tags": { + "type": "object", + "defaultValue": {}, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "enableDefaultTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable telemetry via a Globally Unique Identifier (GUID)." + } + } + }, + "resources": [ + { + "condition": "[parameters('enableDefaultTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2021-04-01", + "name": "[format('pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-{0}', uniqueString(deployment().name, parameters('location')))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [] + } + } + }, + { + "type": "Microsoft.ManagedIdentity/userAssignedIdentities", + "apiVersion": "2018-11-30", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]" + }, + { + "condition": "[not(empty(parameters('lock')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', parameters('name'))]", + "name": "[format('{0}-{1}-lock', parameters('name'), parameters('lock'))]", + "properties": { + "level": "[parameters('lock')]", + "notes": "[if(equals(parameters('lock'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot modify the resource or child resources.')]" + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + ] + }, + { + "copy": { + "name": "userMsi_roleAssignments", + "count": "[length(parameters('roleAssignments'))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-UserMSI-Rbac-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "description": "[if(contains(parameters('roleAssignments')[copyIndex()], 'description'), createObject('value', parameters('roleAssignments')[copyIndex()].description), createObject('value', ''))]", + "principalIds": { + "value": "[parameters('roleAssignments')[copyIndex()].principalIds]" + }, + "principalType": "[if(contains(parameters('roleAssignments')[copyIndex()], 'principalType'), createObject('value', parameters('roleAssignments')[copyIndex()].principalType), createObject('value', ''))]", + "roleDefinitionIdOrName": { + "value": "[parameters('roleAssignments')[copyIndex()].roleDefinitionIdOrName]" + }, + "condition": "[if(contains(parameters('roleAssignments')[copyIndex()], 'condition'), createObject('value', parameters('roleAssignments')[copyIndex()].condition), createObject('value', ''))]", + "delegatedManagedIdentityResourceId": "[if(contains(parameters('roleAssignments')[copyIndex()], 'delegatedManagedIdentityResourceId'), createObject('value', parameters('roleAssignments')[copyIndex()].delegatedManagedIdentityResourceId), createObject('value', ''))]", + "resourceId": { + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "5263933546195004806" + } + }, + "parameters": { + "principalIds": { + "type": "array", + "metadata": { + "description": "Required. The IDs of the principals to assign the role to." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The name of the role to assign. If it cannot be found you can specify the role definition ID instead." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the resource to apply the role assignment to." + } + }, + "principalType": { + "type": "string", + "defaultValue": "", + "allowedValues": [ + "ServicePrincipal", + "Group", + "User", + "ForeignGroup", + "Device", + "" + ], + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "defaultValue": "2.0", + "allowedValues": [ + "2.0" + ], + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. Id of the delegated managed identity resource." + } + } + }, + "variables": { + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "Log Analytics Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '92aaf0da-9dab-42b6-94a3-d43ce8d16293')]", + "Log Analytics Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '73c42c96-874c-492b-b04d-ab87d138a893')]", + "Managed Application Contributor Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '641177b8-a67a-45b9-a033-47bc880bb21e')]", + "Managed Application Operator Role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'c7393b34-138c-406f-901b-d8cf2b17e6ae')]", + "Managed Applications Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b9331d33-8a36-4f8c-b097-4f54124fdb44')]", + "Managed Identity Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e40ec5ca-96e0-45a2-b4ff-59039f2c2b59')]", + "Managed Identity Operator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830')]", + "Monitoring Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '749f88d5-cbae-40b8-bcfc-e573ddc772fa')]", + "Monitoring Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '43d0d8ad-25c7-4714-9337-8ba259a9fe05')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": [ + { + "copy": { + "name": "roleAssignment", + "count": "[length(parameters('principalIds'))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.ManagedIdentity/userAssignedIdentities/{0}', last(split(parameters('resourceId'), '/')))]", + "name": "[guid(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', last(split(parameters('resourceId'), '/'))), parameters('principalIds')[copyIndex()], parameters('roleDefinitionIdOrName'))]", + "properties": { + "description": "[parameters('description')]", + "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), parameters('roleDefinitionIdOrName')), variables('builtInRoleNames')[parameters('roleDefinitionIdOrName')], parameters('roleDefinitionIdOrName'))]", + "principalId": "[parameters('principalIds')[copyIndex()]]", + "principalType": "[if(not(empty(parameters('principalType'))), parameters('principalType'), null())]", + "condition": "[if(not(empty(parameters('condition'))), parameters('condition'), null())]", + "conditionVersion": "[if(and(not(empty(parameters('conditionVersion'))), not(empty(parameters('condition')))), parameters('conditionVersion'), null())]", + "delegatedManagedIdentityResourceId": "[if(not(empty(parameters('delegatedManagedIdentityResourceId'))), parameters('delegatedManagedIdentityResourceId'), null())]" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + ] + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the user assigned identity." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the user assigned identity." + }, + "value": "[resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name'))]" + }, + "principalId": { + "type": "string", + "metadata": { + "description": "The principal ID of the user assigned identity." + }, + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').principalId]" + }, + "clientId": { + "type": "string", + "metadata": { + "description": "The resource ID of the user assigned identity" + }, + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30').clientId]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the user assigned identity was deployed into." + }, + "value": "[resourceGroup().name]" + }, + "location": { + "type": "string", + "metadata": { + "description": "The location the resource was deployed into." }, + "value": "[reference(resourceId('Microsoft.ManagedIdentity/userAssignedIdentities', parameters('name')), '2018-11-30', 'full').location]" + } + } + } + } + }, + { + "condition": "[or(parameters('createStorageDeployment'), parameters('createSessionHosts'))]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('MI-CleanUp-{0}', parameters('time'))]", + "subscriptionId": "[format('{0}', parameters('subscriptionId'))]", + "resourceGroup": "[format('{0}', parameters('serviceObjectsRgName'))]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[parameters('cleanUpManagedIdentityName')]" + }, + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.21.1.54444", + "templateHash": "7754983815852819350" + } + }, + "parameters": { + "name": { + "type": "string", + "defaultValue": "[guid(resourceGroup().id)]", + "metadata": { + "description": "Optional. Name of the User Assigned Identity." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lock": { + "type": "string", + "defaultValue": "", "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -16037,8 +19148,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8490200634198428200" + "version": "0.21.1.54444", + "templateHash": "5263933546195004806" } }, "parameters": { @@ -16242,8 +19353,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -16384,14 +19495,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -16543,8 +19654,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -17123,8 +20234,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -17701,8 +20812,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -18285,8 +21396,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -18865,8 +21976,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -19445,8 +22556,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -20019,8 +23130,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -20662,8 +23773,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12497703365980086846" + "version": "0.21.1.54444", + "templateHash": "1439819306129127820" } }, "parameters": { @@ -20829,8 +23940,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5657647834665443119" + "version": "0.21.1.54444", + "templateHash": "12317712979554879023" } }, "parameters": { @@ -21018,8 +24129,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17165573628970783202" + "version": "0.21.1.54444", + "templateHash": "14228229460676709073" } }, "parameters": { @@ -21288,8 +24399,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13416191842446717007" + "version": "0.21.1.54444", + "templateHash": "4137783479866222342" } }, "parameters": { @@ -21382,8 +24493,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17165573628970783202" + "version": "0.21.1.54444", + "templateHash": "14228229460676709073" } }, "parameters": { @@ -21652,8 +24763,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13416191842446717007" + "version": "0.21.1.54444", + "templateHash": "4137783479866222342" } }, "parameters": { @@ -21722,8 +24833,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -22306,8 +25417,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -22887,8 +25998,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "15136491551081535379" + "version": "0.21.1.54444", + "templateHash": "7754983815852819350" } }, "parameters": { @@ -22909,14 +26020,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -23010,8 +26121,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8490200634198428200" + "version": "0.21.1.54444", + "templateHash": "5263933546195004806" } }, "parameters": { @@ -23214,8 +26325,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -23356,14 +26467,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -23511,8 +26622,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10569201387143117913" + "version": "0.21.1.54444", + "templateHash": "17317977123822737513" } }, "parameters": { @@ -24121,8 +27232,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17450213271810432516" + "version": "0.21.1.54444", + "templateHash": "10225243890871880330" } }, "parameters": { @@ -24262,8 +27373,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10530929595373885258" + "version": "0.21.1.54444", + "templateHash": "11494699434629956647" } }, "parameters": { @@ -24391,8 +27502,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -24428,14 +27539,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -24632,8 +27743,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6036891804343016093" + "version": "0.21.1.54444", + "templateHash": "6740418827739952012" } }, "parameters": { @@ -24764,8 +27875,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8593614529812859648" + "version": "0.21.1.54444", + "templateHash": "1740953456073265015" } }, "parameters": { @@ -24901,8 +28012,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7411396567157179257" + "version": "0.21.1.54444", + "templateHash": "15814620610091788537" } }, "parameters": { @@ -25096,8 +28207,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1124355010779190486" + "version": "0.21.1.54444", + "templateHash": "161566500283768812" } }, "parameters": { @@ -25279,8 +28390,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7260777690340402293" + "version": "0.21.1.54444", + "templateHash": "8510219443070850278" } }, "parameters": { @@ -25482,8 +28593,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7311288048246157848" + "version": "0.21.1.54444", + "templateHash": "14559775667395480629" } }, "parameters": { @@ -25549,14 +28660,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -25679,8 +28790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12718574346799900200" + "version": "0.21.1.54444", + "templateHash": "10817246518679375966" } }, "parameters": { @@ -25692,8 +28803,8 @@ }, "privateDNSResourceIds": { "type": "array", - "maxLength": 5, "minLength": 1, + "maxLength": 5, "metadata": { "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." } @@ -25814,8 +28925,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12287935360262920219" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -26028,8 +29139,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2925986724999389514" + "version": "0.21.1.54444", + "templateHash": "12411629325302614699" } }, "parameters": { @@ -26259,8 +29370,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1124355010779190486" + "version": "0.21.1.54444", + "templateHash": "161566500283768812" } }, "parameters": { @@ -26442,8 +29553,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7260777690340402293" + "version": "0.21.1.54444", + "templateHash": "8510219443070850278" } }, "parameters": { @@ -26645,8 +29756,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9857842888967195839" + "version": "0.21.1.54444", + "templateHash": "15837328238442399759" } }, "parameters": { @@ -26673,14 +29784,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "keyVaultResourceId": { "type": "string", @@ -26856,8 +29967,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2377303483140510674" + "version": "0.21.1.54444", + "templateHash": "17435508871327946334" } }, "parameters": { @@ -26932,8 +30043,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1764649882380429233" + "version": "0.21.1.54444", + "templateHash": "7222366309271203422" } }, "parameters": { @@ -27004,8 +30115,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6036891804343016093" + "version": "0.21.1.54444", + "templateHash": "6740418827739952012" } }, "parameters": { @@ -27135,8 +30246,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "205693325076049461" + "version": "0.21.1.54444", + "templateHash": "13165233376501361165" } }, "parameters": { @@ -27403,8 +30514,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10530929595373885258" + "version": "0.21.1.54444", + "templateHash": "11494699434629956647" } }, "parameters": { @@ -27532,8 +30643,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -27569,14 +30680,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -27773,8 +30884,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6036891804343016093" + "version": "0.21.1.54444", + "templateHash": "6740418827739952012" } }, "parameters": { @@ -27905,8 +31016,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8593614529812859648" + "version": "0.21.1.54444", + "templateHash": "1740953456073265015" } }, "parameters": { @@ -28042,8 +31153,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7411396567157179257" + "version": "0.21.1.54444", + "templateHash": "15814620610091788537" } }, "parameters": { @@ -28237,8 +31348,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1124355010779190486" + "version": "0.21.1.54444", + "templateHash": "161566500283768812" } }, "parameters": { @@ -28420,8 +31531,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7260777690340402293" + "version": "0.21.1.54444", + "templateHash": "8510219443070850278" } }, "parameters": { @@ -28623,8 +31734,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7311288048246157848" + "version": "0.21.1.54444", + "templateHash": "14559775667395480629" } }, "parameters": { @@ -28690,14 +31801,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -28820,8 +31931,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12718574346799900200" + "version": "0.21.1.54444", + "templateHash": "10817246518679375966" } }, "parameters": { @@ -28833,8 +31944,8 @@ }, "privateDNSResourceIds": { "type": "array", - "maxLength": 5, "minLength": 1, + "maxLength": 5, "metadata": { "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." } @@ -28955,8 +32066,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12287935360262920219" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -29169,8 +32280,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2925986724999389514" + "version": "0.21.1.54444", + "templateHash": "12411629325302614699" } }, "parameters": { @@ -29421,8 +32532,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2907237861517290313" + "version": "0.21.1.54444", + "templateHash": "17547683740547410047" } }, "parameters": { @@ -29702,8 +32813,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "547922033158170612" + "version": "0.21.1.54444", + "templateHash": "16145006903790239270" } }, "parameters": { @@ -30156,14 +33267,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -30538,8 +33649,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10525586211840772754" + "version": "0.21.1.54444", + "templateHash": "12494527698043294819" } }, "parameters": { @@ -30693,8 +33804,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3109828817825228978" + "version": "0.21.1.54444", + "templateHash": "1998504441889364515" } }, "parameters": { @@ -30814,14 +33925,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "location": { "type": "string", @@ -31009,8 +34120,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9526391067242259796" + "version": "0.21.1.54444", + "templateHash": "7328126239184883887" } }, "parameters": { @@ -31261,8 +34372,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "4280335810449335065" + "version": "0.21.1.54444", + "templateHash": "5590101494385097417" } }, "parameters": { @@ -31324,14 +34435,14 @@ "auxiliaryMode": { "type": "string", "defaultValue": "None", - "metadata": { - "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - }, "allowedValues": [ "Floating", "MaxConnections", "None" - ] + ], + "metadata": { + "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." + } }, "disableTcpStateTracking": { "type": "bool", @@ -31349,14 +34460,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -31546,8 +34657,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "934300040337690336" + "version": "0.21.1.54444", + "templateHash": "10645923556503351364" } }, "parameters": { @@ -31765,8 +34876,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -31971,8 +35082,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -32172,8 +35283,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -32378,8 +35489,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -32574,8 +35685,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -32770,8 +35881,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -32970,8 +36081,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -33178,8 +36289,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -33379,8 +36490,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -33583,8 +36694,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "542004733048752795" + "version": "0.21.1.54444", + "templateHash": "10405060501220354608" } }, "parameters": { @@ -33615,9 +36726,6 @@ }, "protectedItemType": { "type": "string", - "metadata": { - "description": "Required. The backup item type." - }, "allowedValues": [ "AzureFileShareProtectedItem", "AzureVmWorkloadSAPAseDatabase", @@ -33629,7 +36737,10 @@ "Microsoft.ClassicCompute/virtualMachines", "Microsoft.Compute/virtualMachines", "Microsoft.Sql/servers/databases" - ] + ], + "metadata": { + "description": "Required. The backup item type." + } }, "policyId": { "type": "string", @@ -33749,8 +36860,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5545265229641785727" + "version": "0.21.1.54444", + "templateHash": "11877341194593849245" } }, "parameters": { @@ -33966,8 +37077,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -34108,14 +37219,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -34338,8 +37449,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "443290892200518911" + "version": "0.21.1.54444", + "templateHash": "3332339003647302114" } }, "parameters": { @@ -34597,17 +37708,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13503792698356233940" + "version": "0.21.1.54444", + "templateHash": "13264683594123465479" } }, "parameters": { "name": { "type": "string", + "maxLength": 24, "metadata": { "description": "Required. Name of the Storage Account." - }, - "maxLength": 24 + } }, "location": { "type": "string", @@ -34640,23 +37751,20 @@ "kind": { "type": "string", "defaultValue": "StorageV2", - "metadata": { - "description": "Optional. Type of Storage Account to create." - }, "allowedValues": [ "Storage", "StorageV2", "BlobStorage", "FileStorage", "BlockBlobStorage" - ] + ], + "metadata": { + "description": "Optional. Type of Storage Account to create." + } }, "skuName": { "type": "string", "defaultValue": "Standard_GRS", - "metadata": { - "description": "Optional. Storage Account Sku Name." - }, "allowedValues": [ "Standard_LRS", "Standard_GRS", @@ -34666,30 +37774,33 @@ "Premium_ZRS", "Standard_GZRS", "Standard_RAGZRS" - ] + ], + "metadata": { + "description": "Optional. Storage Account Sku Name." + } }, "accessTier": { "type": "string", "defaultValue": "Hot", - "metadata": { - "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." - }, "allowedValues": [ "Premium", "Hot", "Cool" - ] + ], + "metadata": { + "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." + } }, "largeFileSharesState": { "type": "string", "defaultValue": "Disabled", - "metadata": { - "description": "Optional. Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." - }, "allowedValues": [ "Disabled", "Enabled" - ] + ], + "metadata": { + "description": "Optional. Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." + } }, "azureFilesIdentityBasedAuthentication": { "type": "object", @@ -34811,14 +37922,14 @@ "minimumTlsVersion": { "type": "string", "defaultValue": "TLS1_2", - "metadata": { - "description": "Optional. Set the minimum TLS version on request to storage." - }, "allowedValues": [ "TLS1_0", "TLS1_1", "TLS1_2" - ] + ], + "metadata": { + "description": "Optional. Set the minimum TLS version on request to storage." + } }, "enableHierarchicalNamespace": { "type": "bool", @@ -34886,14 +37997,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -35145,8 +38256,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "14509829261817545327" + "version": "0.21.1.54444", + "templateHash": "11907799862370162022" } }, "parameters": { @@ -35340,8 +38451,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7311288048246157848" + "version": "0.21.1.54444", + "templateHash": "14559775667395480629" } }, "parameters": { @@ -35407,14 +38518,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -35537,8 +38648,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12718574346799900200" + "version": "0.21.1.54444", + "templateHash": "10817246518679375966" } }, "parameters": { @@ -35550,8 +38661,8 @@ }, "privateDNSResourceIds": { "type": "array", - "maxLength": 5, "minLength": 1, + "maxLength": 5, "metadata": { "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." } @@ -35672,8 +38783,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12287935360262920219" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -35879,17 +38990,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6611019192370176160" + "version": "0.21.1.54444", + "templateHash": "4253610036228558936" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "rules": { "type": "array", @@ -36003,17 +39114,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "887985521850583920" + "version": "0.21.1.54444", + "templateHash": "2607160455374616389" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -36161,17 +39272,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10541476086832691043" + "version": "0.21.1.54444", + "templateHash": "3867614023183305816" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "deleteRetentionPolicy": { "type": "bool", @@ -36204,8 +39315,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -36382,17 +39493,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "4711998299496378361" + "version": "0.21.1.54444", + "templateHash": "1372202156919204831" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -36410,14 +39521,14 @@ "publicAccess": { "type": "string", "defaultValue": "None", - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - }, "allowedValues": [ "Container", "Blob", "None" - ] + ], + "metadata": { + "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." + } }, "immutabilityPolicyProperties": { "type": "object", @@ -36496,17 +39607,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9600027410745431357" + "version": "0.21.1.54444", + "templateHash": "11262013761717354542" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "containerName": { "type": "string", @@ -36624,8 +39735,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2765385875040083757" + "version": "0.21.1.54444", + "templateHash": "5334204341302869645" } }, "parameters": { @@ -36862,17 +39973,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1150612779421396008" + "version": "0.21.1.54444", + "templateHash": "2167053915280339359" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -36901,8 +40012,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -37086,17 +40197,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17475626136384362732" + "version": "0.21.1.54444", + "templateHash": "7008197552909900283" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "fileServicesName": { "type": "string", @@ -37121,25 +40232,25 @@ "enabledProtocols": { "type": "string", "defaultValue": "SMB", - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - }, "allowedValues": [ "NFS", "SMB" - ] + ], + "metadata": { + "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." + } }, "rootSquash": { "type": "string", "defaultValue": "NoRootSquash", - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - }, "allowedValues": [ "AllSquash", "NoRootSquash", "RootSquash" - ] + ], + "metadata": { + "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." + } }, "roleAssignments": { "type": "array", @@ -37215,8 +40326,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "398511802813701603" + "version": "0.21.1.54444", + "templateHash": "12515062620278558169" } }, "parameters": { @@ -37454,17 +40565,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8639862570197941224" + "version": "0.21.1.54444", + "templateHash": "8749040656749087019" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "queues": { "type": "array", @@ -37476,8 +40587,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -37651,17 +40762,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8626996903060982853" + "version": "0.21.1.54444", + "templateHash": "14624220085780750615" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -37748,8 +40859,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7868704077465009471" + "version": "0.21.1.54444", + "templateHash": "256624618142232879" } }, "parameters": { @@ -37984,17 +41095,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2885217159765875903" + "version": "0.21.1.54444", + "templateHash": "17171385097788904997" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "tables": { "type": "array", @@ -38006,8 +41117,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -38175,17 +41286,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10506944460358814800" + "version": "0.21.1.54444", + "templateHash": "15439721503188480715" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -38368,8 +41479,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16133335500075476844" + "version": "0.21.1.54444", + "templateHash": "3833916253334122169" } }, "parameters": { @@ -38538,8 +41649,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "443290892200518911" + "version": "0.21.1.54444", + "templateHash": "3332339003647302114" } }, "parameters": { @@ -38797,17 +41908,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13503792698356233940" + "version": "0.21.1.54444", + "templateHash": "13264683594123465479" } }, "parameters": { "name": { "type": "string", + "maxLength": 24, "metadata": { "description": "Required. Name of the Storage Account." - }, - "maxLength": 24 + } }, "location": { "type": "string", @@ -38840,23 +41951,20 @@ "kind": { "type": "string", "defaultValue": "StorageV2", - "metadata": { - "description": "Optional. Type of Storage Account to create." - }, "allowedValues": [ "Storage", "StorageV2", "BlobStorage", "FileStorage", "BlockBlobStorage" - ] + ], + "metadata": { + "description": "Optional. Type of Storage Account to create." + } }, "skuName": { "type": "string", "defaultValue": "Standard_GRS", - "metadata": { - "description": "Optional. Storage Account Sku Name." - }, "allowedValues": [ "Standard_LRS", "Standard_GRS", @@ -38866,30 +41974,33 @@ "Premium_ZRS", "Standard_GZRS", "Standard_RAGZRS" - ] + ], + "metadata": { + "description": "Optional. Storage Account Sku Name." + } }, "accessTier": { "type": "string", "defaultValue": "Hot", - "metadata": { - "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." - }, "allowedValues": [ "Premium", "Hot", "Cool" - ] + ], + "metadata": { + "description": "Conditional. Required if the Storage Account kind is set to BlobStorage. The access tier is used for billing. The \"Premium\" access tier is the default value for premium block blobs storage account type and it cannot be changed for the premium block blobs storage account type." + } }, "largeFileSharesState": { "type": "string", "defaultValue": "Disabled", - "metadata": { - "description": "Optional. Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." - }, "allowedValues": [ "Disabled", "Enabled" - ] + ], + "metadata": { + "description": "Optional. Allow large file shares if sets to 'Enabled'. It cannot be disabled once it is enabled. Only supported on locally redundant and zone redundant file shares. It cannot be set on FileStorage storage accounts (storage accounts for premium file shares)." + } }, "azureFilesIdentityBasedAuthentication": { "type": "object", @@ -39011,14 +42122,14 @@ "minimumTlsVersion": { "type": "string", "defaultValue": "TLS1_2", - "metadata": { - "description": "Optional. Set the minimum TLS version on request to storage." - }, "allowedValues": [ "TLS1_0", "TLS1_1", "TLS1_2" - ] + ], + "metadata": { + "description": "Optional. Set the minimum TLS version on request to storage." + } }, "enableHierarchicalNamespace": { "type": "bool", @@ -39086,14 +42197,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -39345,8 +42456,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "14509829261817545327" + "version": "0.21.1.54444", + "templateHash": "11907799862370162022" } }, "parameters": { @@ -39540,8 +42651,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7311288048246157848" + "version": "0.21.1.54444", + "templateHash": "14559775667395480629" } }, "parameters": { @@ -39607,14 +42718,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -39737,8 +42848,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12718574346799900200" + "version": "0.21.1.54444", + "templateHash": "10817246518679375966" } }, "parameters": { @@ -39750,8 +42861,8 @@ }, "privateDNSResourceIds": { "type": "array", - "maxLength": 5, "minLength": 1, + "maxLength": 5, "metadata": { "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." } @@ -39872,8 +42983,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "12287935360262920219" + "version": "0.21.1.54444", + "templateHash": "13032708393704093995" } }, "parameters": { @@ -40079,17 +43190,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6611019192370176160" + "version": "0.21.1.54444", + "templateHash": "4253610036228558936" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "rules": { "type": "array", @@ -40203,17 +43314,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "887985521850583920" + "version": "0.21.1.54444", + "templateHash": "2607160455374616389" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -40361,17 +43472,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10541476086832691043" + "version": "0.21.1.54444", + "templateHash": "3867614023183305816" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "deleteRetentionPolicy": { "type": "bool", @@ -40404,8 +43515,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -40582,17 +43693,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "4711998299496378361" + "version": "0.21.1.54444", + "templateHash": "1372202156919204831" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -40610,14 +43721,14 @@ "publicAccess": { "type": "string", "defaultValue": "None", - "metadata": { - "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." - }, "allowedValues": [ "Container", "Blob", "None" - ] + ], + "metadata": { + "description": "Optional. Specifies whether data in the container may be accessed publicly and the level of access." + } }, "immutabilityPolicyProperties": { "type": "object", @@ -40696,17 +43807,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9600027410745431357" + "version": "0.21.1.54444", + "templateHash": "11262013761717354542" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "containerName": { "type": "string", @@ -40824,8 +43935,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2765385875040083757" + "version": "0.21.1.54444", + "templateHash": "5334204341302869645" } }, "parameters": { @@ -41062,17 +44173,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "1150612779421396008" + "version": "0.21.1.54444", + "templateHash": "2167053915280339359" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -41101,8 +44212,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -41286,17 +44397,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17475626136384362732" + "version": "0.21.1.54444", + "templateHash": "7008197552909900283" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "fileServicesName": { "type": "string", @@ -41321,25 +44432,25 @@ "enabledProtocols": { "type": "string", "defaultValue": "SMB", - "metadata": { - "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." - }, "allowedValues": [ "NFS", "SMB" - ] + ], + "metadata": { + "description": "Optional. The authentication protocol that is used for the file share. Can only be specified when creating a share." + } }, "rootSquash": { "type": "string", "defaultValue": "NoRootSquash", - "metadata": { - "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." - }, "allowedValues": [ "AllSquash", "NoRootSquash", "RootSquash" - ] + ], + "metadata": { + "description": "Optional. Permissions for NFS file shares are enforced by the client OS rather than the Azure Files service. Toggling the root squash behavior reduces the rights of the root user for NFS shares." + } }, "roleAssignments": { "type": "array", @@ -41415,8 +44526,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "398511802813701603" + "version": "0.21.1.54444", + "templateHash": "12515062620278558169" } }, "parameters": { @@ -41654,17 +44765,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8639862570197941224" + "version": "0.21.1.54444", + "templateHash": "8749040656749087019" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "queues": { "type": "array", @@ -41676,8 +44787,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -41851,17 +44962,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "8626996903060982853" + "version": "0.21.1.54444", + "templateHash": "14624220085780750615" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -41948,8 +45059,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7868704077465009471" + "version": "0.21.1.54444", + "templateHash": "256624618142232879" } }, "parameters": { @@ -42184,17 +45295,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "2885217159765875903" + "version": "0.21.1.54444", + "templateHash": "17171385097788904997" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "tables": { "type": "array", @@ -42206,8 +45317,8 @@ "diagnosticLogsRetentionInDays": { "type": "int", "defaultValue": 365, - "maxValue": 365, "minValue": 0, + "maxValue": 365, "metadata": { "description": "Optional. Specifies the number of days that logs will be kept for; a value of 0 will retain data indefinitely." } @@ -42375,17 +45486,17 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10506944460358814800" + "version": "0.21.1.54444", + "templateHash": "15439721503188480715" } }, "parameters": { "storageAccountName": { "type": "string", + "maxLength": 24, "metadata": { "description": "Conditional. The name of the parent Storage Account. Required if the template is used in a standalone deployment." - }, - "maxLength": 24 + } }, "name": { "type": "string", @@ -42568,8 +45679,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "16133335500075476844" + "version": "0.21.1.54444", + "templateHash": "3833916253334122169" } }, "parameters": { @@ -42684,8 +45795,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "14889137037653853520" + "version": "0.21.1.54444", + "templateHash": "6119438582302440926" } }, "parameters": { @@ -42763,8 +45874,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "11940163391569342138" + "version": "0.21.1.54444", + "templateHash": "16350576771018439160" } }, "parameters": { @@ -42812,14 +45923,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -42921,8 +46032,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10835079600690809858" + "version": "0.21.1.54444", + "templateHash": "12543587259073888483" } }, "parameters": { @@ -43235,8 +46346,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5800190286840239570" + "version": "0.21.1.54444", + "templateHash": "5880973515767091387" } }, "parameters": { @@ -43632,8 +46743,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "547922033158170612" + "version": "0.21.1.54444", + "templateHash": "16145006903790239270" } }, "parameters": { @@ -44086,14 +47197,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -44468,8 +47579,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "10525586211840772754" + "version": "0.21.1.54444", + "templateHash": "12494527698043294819" } }, "parameters": { @@ -44623,8 +47734,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3109828817825228978" + "version": "0.21.1.54444", + "templateHash": "1998504441889364515" } }, "parameters": { @@ -44744,14 +47855,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "location": { "type": "string", @@ -44939,8 +48050,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "9526391067242259796" + "version": "0.21.1.54444", + "templateHash": "7328126239184883887" } }, "parameters": { @@ -45191,8 +48302,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "4280335810449335065" + "version": "0.21.1.54444", + "templateHash": "5590101494385097417" } }, "parameters": { @@ -45254,14 +48365,14 @@ "auxiliaryMode": { "type": "string", "defaultValue": "None", - "metadata": { - "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." - }, "allowedValues": [ "Floating", "MaxConnections", "None" - ] + ], + "metadata": { + "description": "Optional. Auxiliary mode of Network Interface resource. Not all regions are enabled for Auxiliary Mode Nic." + } }, "disableTcpStateTracking": { "type": "bool", @@ -45279,14 +48390,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "roleAssignments": { "type": "array", @@ -45476,8 +48587,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "934300040337690336" + "version": "0.21.1.54444", + "templateHash": "10645923556503351364" } }, "parameters": { @@ -45695,8 +48806,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -45901,8 +49012,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -46102,8 +49213,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -46308,8 +49419,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -46504,8 +49615,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -46700,8 +49811,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -46900,8 +50011,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -47108,8 +50219,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -47309,8 +50420,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -47513,8 +50624,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "542004733048752795" + "version": "0.21.1.54444", + "templateHash": "10405060501220354608" } }, "parameters": { @@ -47545,9 +50656,6 @@ }, "protectedItemType": { "type": "string", - "metadata": { - "description": "Required. The backup item type." - }, "allowedValues": [ "AzureFileShareProtectedItem", "AzureVmWorkloadSAPAseDatabase", @@ -47559,7 +50667,10 @@ "Microsoft.ClassicCompute/virtualMachines", "Microsoft.Compute/virtualMachines", "Microsoft.Sql/servers/databases" - ] + ], + "metadata": { + "description": "Required. The backup item type." + } }, "policyId": { "type": "string", @@ -47679,8 +50790,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5545265229641785727" + "version": "0.21.1.54444", + "templateHash": "11877341194593849245" } }, "parameters": { @@ -47896,8 +51007,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -48038,14 +51149,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -48229,8 +51340,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -48428,8 +51539,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -48570,14 +51681,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -48759,8 +51870,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "3345220041904522099" + "version": "0.21.1.54444", + "templateHash": "2320457624134194742" } }, "parameters": { @@ -48959,8 +52070,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "6119857452463366145" + "version": "0.21.1.54444", + "templateHash": "8145106657487286483" } }, "parameters": { @@ -49101,14 +52212,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -49268,8 +52379,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "14854652588114627341" + "version": "0.21.1.54444", + "templateHash": "7945282169717240757" } }, "parameters": { @@ -49368,8 +52479,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "7172748536042045689" + "version": "0.21.1.54444", + "templateHash": "11980268490224207781" } }, "parameters": { @@ -49484,8 +52595,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "231872691044961836" + "version": "0.21.1.54444", + "templateHash": "17060282136194389196" } }, "parameters": { @@ -49577,8 +52688,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "5657647834665443119" + "version": "0.21.1.54444", + "templateHash": "12317712979554879023" } }, "parameters": { @@ -49752,8 +52863,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "17165573628970783202" + "version": "0.21.1.54444", + "templateHash": "14228229460676709073" } }, "parameters": { @@ -50021,8 +53132,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.17.1.54307", - "templateHash": "13416191842446717007" + "version": "0.21.1.54444", + "templateHash": "4137783479866222342" } }, "parameters": { diff --git a/workload/bicep/deploy-baseline.bicep b/workload/bicep/deploy-baseline.bicep index 3a8258b20..fe93e99d5 100644 --- a/workload/bicep/deploy-baseline.bicep +++ b/workload/bicep/deploy-baseline.bicep @@ -161,6 +161,12 @@ param avdVnetPrivateDnsZoneKeyvaultId string = '' @sys.description('Does the hub contains a virtual network gateway. (Default: false)') param vNetworkGatewayOnHub bool = false +@sys.description('Create Azure Firewall and Azure Firewall Policy. (Default: false)') +param deployAvdFirewall bool = false + +@sys.description('AzureFirewallSubnet prefixes. (Default: 10.0.2.0/24)') +param firewallSubnetAddressPrefix string = '10.0.2.0/24' + @sys.description('Deploy Fslogix setup. (Default: true)') param createAvdFslogixDeployment bool = true @@ -517,6 +523,13 @@ var varPrivateEndpointNetworksecurityGroupName = avdUseCustomNaming ? privateEnd var varAvdRouteTableName = avdUseCustomNaming ? avdRouteTableCustomName : 'route-avd-${varComputeStorageResourcesNamingStandard}-001' var varPrivateEndpointRouteTableName = avdUseCustomNaming ? privateEndpointRouteTableCustomName : 'route-pe-${varComputeStorageResourcesNamingStandard}-001' var varApplicationSecurityGroupName = avdUseCustomNaming ? avdApplicationSecurityGroupCustomName : 'asg-${varComputeStorageResourcesNamingStandard}-001' +var varFiwewallName = 'fw-avd-${varHubVnetName}' +var varFiwewallPolicyName = 'fwpol-avd-${varHubVnetName}' +var varFiwewallPolicyRuleCollectionGroupName = '${varFiwewallPolicyName}-rcg' +var varFiwewallPolicyNetworkRuleCollectionName = '${varFiwewallPolicyName}-nw-rule-collection' +var varFiwewallPolicyOptionalRuleCollectionGroupName = '${varFiwewallPolicyName}-rcg-optional' +var varFiwewallPolicyOptionalNetworkRuleCollectionName = '${varFiwewallPolicyName}-nw-rule-collection-optional' +var varFiwewallPolicyOptionalApplicationRuleCollectionName = '${varFiwewallPolicyName}-app-rule-collection-optional' var varWorkSpaceName = avdUseCustomNaming ? avdWorkSpaceCustomName : 'vdws-${varManagementPlaneNamingStandard}-001' var varWorkSpaceFriendlyName = avdUseCustomNaming ? avdWorkSpaceCustomFriendlyName : 'Workspace ${deploymentPrefix} ${deploymentEnvironment} ${avdManagementPlaneLocation} 001' var varHostPoolName = avdUseCustomNaming ? avdHostPoolCustomName : 'vdpool-${varManagementPlaneNamingStandard}-001' @@ -950,6 +963,15 @@ module networking './modules/networking/deploy.bicep' = if (createAvdVnet || cre dnsServers: varDnsServers tags: createResourceTags ? union(varCustomResourceTags, varAvdDefaultTags) : varAvdDefaultTags alaWorkspaceResourceId: avdDeployMonitoring ? (deployAlaWorkspace ? monitoringDiagnosticSettings.outputs.avdAlaWorkspaceResourceId : alaExistingWorkspaceResourceId) : '' + deployAvdFirewall: deployAvdFirewall + firewallName: varFiwewallName + firewallPolicyName: varFiwewallPolicyName + firewallPolicyRuleCollectionGroupName: varFiwewallPolicyRuleCollectionGroupName + firewallPolicyNetworkRuleCollectionName: varFiwewallPolicyNetworkRuleCollectionName + firewallPolicyOptionalRuleCollectionGroupName: varFiwewallPolicyOptionalRuleCollectionGroupName + firewallPolicyOptionalNetworkRuleCollectionName: varFiwewallPolicyOptionalNetworkRuleCollectionName + firewallPolicyOptionalApplicationRuleCollectionName: varFiwewallPolicyOptionalApplicationRuleCollectionName + firewallSubnetAddressPrefix: firewallSubnetAddressPrefix } dependsOn: [ baselineNetworkResourceGroup diff --git a/workload/bicep/modules/networking/deploy.bicep b/workload/bicep/modules/networking/deploy.bicep index 4ea9fa8f3..d67cf581a 100644 --- a/workload/bicep/modules/networking/deploy.bicep +++ b/workload/bicep/modules/networking/deploy.bicep @@ -57,6 +57,33 @@ param remoteVnetPeeringName string @sys.description('Create virtual network peering to hub.') param createVnetPeering bool +@sys.description('Create firewall and firewall policy to hub virtual network.') +param deployAvdFirewall bool + +@sys.description('Firewall name') +param firewallName string + +@sys.description('Firewall policy name') +param firewallPolicyName string + +@sys.description('Firewall policy rule collection group name') +param firewallPolicyRuleCollectionGroupName string + +@sys.description('Firewall policy rule collection group name (optional)') +param firewallPolicyOptionalRuleCollectionGroupName string + +@sys.description('Firewall policy network rule collection name') +param firewallPolicyNetworkRuleCollectionName string + +@sys.description('Firewall policy network rule collection name (optional)') +param firewallPolicyOptionalNetworkRuleCollectionName string + +@sys.description('Firewall policy application rule collection name (optional)') +param firewallPolicyOptionalApplicationRuleCollectionName string + +@sys.description('Firewall subnet adderss prefix') +param firewallSubnetAddressPrefix string + @sys.description('Optional. AVD Accelerator will deploy with private endpoints by default.') param deployPrivateEndpointSubnet bool @@ -117,6 +144,10 @@ var varExistingAvdVnetResourceId = !createVnet ? '/subscriptions/${varExistingAv //var varExistingPeVnetSubRgName = split(existingPeSubnetResourceId, '/')[4] //var varExistingAPeVnetName = split(existingPeSubnetResourceId, '/')[8] //var varExistingPeVnetResourceId = '/subscriptions/${varExistingPeVnetSubId}/resourceGroups/${varExistingPeVnetSubRgName}/providers/Microsoft.Network/virtualNetworks/${varExistingAPeVnetName}' +var varExistingHubSubId = split(existingHubVnetResourceId, '/')[2] +var varExistingHubSubRgName = split(existingHubVnetResourceId, '/')[4] +var varExistingHubVnetName = split(existingHubVnetResourceId, '/')[8] + // =========== // // Deployments // // =========== // @@ -408,6 +439,479 @@ module privateDnsZoneKeyVaultGov '.bicep/privateDnsZones.bicep' = if (createPriv tags: tags } } + +// Firewall policy +module firewallPolicy '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/deploy.bicep' = if (deployAvdFirewall) { + scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') + name: 'Fw-Policy-${time}' + params: { + name: firewallPolicyName + enableProxy: true + } +} + +// Firewall policy rule collection group +module firewallPolicyRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployAvdFirewall) { + scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') + name: 'Fw-Policy-Rcg-${time}' + params: { + name: firewallPolicyRuleCollectionGroupName + firewallPolicyName: firewallPolicyName + priority: 100 + ruleCollections: [ + { + name: firewallPolicyNetworkRuleCollectionName + priority: 100 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'NetworkRule' + name: 'Auth to Msft Online Services' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'login.microsoftonline.com' + ] + destinationPorts: [ + '443' + ] + } + { + ruleType: 'NetworkRule' + name: 'Service Traffic' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [ + 'WindowsVirtualDesktop' + 'AzureFrontDoor.Frontend' + 'AzureMonitor' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '443' + ] + } + { + ruleType: 'NetworkRule' + name: 'DNS Traffic' + ipProtocols: [ + 'TCP' + 'UDP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [ + '*' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '53' + ] + } + { + ruleType: 'NetworkRule' + name: 'Azure Windows Activation' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [ + '20.118.99.224' + '40.83.235.53' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '1688' + ] + } + { + ruleType: 'NetworkRule' + name: 'Windows Activation' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [ + '23.102.135.246' + ] + destinationIpGroups: [] + destinationFqdns: [] + destinationPorts: [ + '1688' + ] + } + { + ruleType: 'NetworkRule' + name: 'Agent and SxS Stack Updates' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'mrsglobalsteus2prod.blob.core.windows.net' + ] + destinationPorts: [ + '443' + ] + } + { + ruleType: 'NetworkRule' + name: 'Azure Portal Support' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'wvdportalstorageblob.blob.core.windows.net' + ] + destinationPorts: [ + '443' + ] + } + { + ruleType: 'NetworkRule' + name: 'Cert CRL OneOCSP' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'oneocsp.microsoft.com' + ] + destinationPorts: [ + '80' + ] + } + { + ruleType: 'NetworkRule' + name: 'Cert CRL MicrosoftDotCom' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'www.microsoft.com' + ] + destinationPorts: [ + '80' + ] + } + ] + } + ] + } + dependsOn: [ + firewallPolicy + ] +} + +// Firewall policy optional rule collection group +module firewallPolicyOptionalRuleCollectionGroup '../../../../carml/1.3.0/Microsoft.Network/firewallPolicies/ruleCollectionGroups/deploy.bicep' = if (deployAvdFirewall) { + scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') + name: 'Fw-Policy-Rcg-Optional-${time}' + params: { + name: firewallPolicyOptionalRuleCollectionGroupName + firewallPolicyName: firewallPolicyName + priority: 200 + ruleCollections: [ + { + name: firewallPolicyOptionalNetworkRuleCollectionName + priority: 100 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'NetworkRule' + name: 'NTP' + ipProtocols: [ + 'UDP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'time.windows.com' + ] + destinationPorts: [ + '123' + ] + } + { + ruleType: 'NetworkRule' + name: 'SigninToMSOL365' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'login.windows.net' + ] + destinationPorts: [ + '443' + ] + } + { + ruleType: 'NetworkRule' + name: 'DetectOSconnectedToInternet' + ipProtocols: [ + 'TCP' + ] + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + sourceIpGroups: [] + destinationAddresses: [] + destinationIpGroups: [] + destinationFqdns: [ + 'www.msftconnecttest.com' + ] + destinationPorts: [ + '443' + ] + } + ] + } + { + name: firewallPolicyOptionalApplicationRuleCollectionName + priority: 200 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + action: { + type: 'Allow' + } + rules: [ + { + ruleType: 'ApplicationRule' + name: 'UpdatesforOneDrive' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [ + 'WindowsUpdate' + 'WindowsDiagnostic' + 'MicrosoftActiveProtectionService' + ] + webCategories: [] + targetFqdns: [] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + destinationAddresses: [] + sourceIpGroups: [] + httpHeadersToInsert: [] + } + { + ruleType: 'ApplicationRule' + name: 'TelemetryService' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [] + webCategories: [] + targetFqdns: [ + '*.events.data.microsoft.com' + ] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + destinationAddresses: [] + sourceIpGroups: [] + httpHeadersToInsert: [] + } + { + ruleType: 'ApplicationRule' + name: 'Windows Update' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [] + webCategories: [] + targetFqdns: [ + '*.sfx.ms' + ] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + destinationAddresses: [] + sourceIpGroups: [] + httpHeadersToInsert: [] + } + { + ruleType: 'ApplicationRule' + name: 'DigitcertCRL' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [] + webCategories: [] + targetFqdns: [ + '*.digicert.com' + ] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + destinationAddresses: [] + sourceIpGroups: [] + httpHeadersToInsert: [] + } + { + ruleType: 'ApplicationRule' + name: 'AzureDNSResolution' + protocols: [ + { + protocolType: 'Https' + port: 443 + } + ] + fqdnTags: [] + webCategories: [] + targetFqdns: [ + '*.azure-dns.com' + '*.azure-dns.net' + ] + targetUrls: [] + terminateTLS: false + sourceAddresses: [ + vnetAvdSubnetAddressPrefix + ] + destinationAddresses: [] + sourceIpGroups: [] + httpHeadersToInsert: [] + } + ] + } + ] + } + dependsOn: [ + firewallPolicyRuleCollectionGroup + ] +} + +// Azure Firewall subnet +module hubVirtualNetworkAzureFirewallSubnet '../../../../carml/1.3.0/Microsoft.Network/virtualNetworks/subnets/deploy.bicep' = if (deployAvdFirewall) { + scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') + name: 'Fw-Subnet-${time}' + params: { + addressPrefix: firewallSubnetAddressPrefix + name: 'AzureFirewallSubnet' + virtualNetworkName: varExistingHubVnetName + } +} + +// Azure Firewall +module azureFirewall '../../../../carml/1.3.0/Microsoft.Network/azureFirewalls/deploy.bicep' = if (deployAvdFirewall) { + scope: resourceGroup('${varExistingHubSubId}', '${varExistingHubSubRgName}') + name: 'Fw-${time}' + params: { + name: firewallName + vNetId: existingHubVnetResourceId + firewallPolicyId: firewallPolicy.outputs.resourceId + } + dependsOn: [ + firewallPolicyOptionalRuleCollectionGroup + hubVirtualNetworkAzureFirewallSubnet + ] +} + +// AVD route table for Firewall +module routeTableAvdforFirewall '../../../../carml/1.3.0/Microsoft.Network/routeTables/deploy.bicep' = if (createVnet && deployAvdFirewall) { + scope: resourceGroup('${workloadSubsId}', '${networkObjectsRgName}') + name: 'Route-Table-AVD-Fw-${time}' + params: { + name: avdRouteTableName + location: sessionHostLocation + tags: tags + routes: varCreateAvdStaicRoute ? [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: azureFirewall.outputs.privateIp + nextHopType: 'VirtualAppliance' + } + } + ] : [] + } + dependsOn: [ + azureFirewall + ] +} + // =========== // // Outputs // // =========== // diff --git a/workload/portal-ui/portal-ui-baseline.json b/workload/portal-ui/portal-ui-baseline.json index efc6490bf..2ca4baff0 100644 --- a/workload/portal-ui/portal-ui-baseline.json +++ b/workload/portal-ui/portal-ui-baseline.json @@ -1425,6 +1425,44 @@ "toolTip": "This information will be used to set remote gateway settings on vNet peering." } ] + }, + { + "name": "hubVirtualNetworkFirewall", + "type": "Microsoft.Common.Section", + "visible": "[not(empty(steps('network').hubVirtualNetworkPeering.existingHubVirtualNetwork))]", + "label": "Firewall options for AVD deployments", + "elements": [ + { + "name": "deployAvdFirewall", + "type": "Microsoft.Common.CheckBox", + "label": "Deploy Azure Firewall in Hub vNet", + "defaultValue": false, + "toolTip": "Create Azure Firewall and Azure Firewall Policy." + }, + { + "name": "firewallSubnetSize", + "type": "Microsoft.Common.TextBox", + "visible": "[steps('network').hubVirtualNetworkFirewall.deployAvdFirewall]", + "label": "AzureFirewallSubnet address prefix", + "toolTip": "AzureFirewallSubnet CIDR", + "placeholder": "Example: 10.0.2.0/24", + "constraints": { + "required": true, + "regex": "^(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)\\.(25[0-5]|2[0-4]\\d|1\\d\\d|[1-9]?\\d)(?:\/(1[0-9]|2[0-6]))$", + "validationMessage": "Invalid CIDR range. The address prefix must be smaller than or equal to 26." + } + }, + { + "name": "firewallInfoBox", + "type": "Microsoft.Common.InfoBox", + "visible": "[steps('network').hubVirtualNetworkFirewall.deployAvdFirewall]", + "options": { + "text": "Azure Firewall, Azure Firewall Policy, and Azure Firewall subnet will be created in the existing vNet hub. Additionally, UDR will be added to AVD subnet to route all traffic through the Azure Firewall for protection of AVD deployments.", + "uri": "https://learn.microsoft.com/azure/firewall/protect-azure-virtual-desktop", + "style": "info" + } + } + ] } ] }, @@ -2310,6 +2348,8 @@ "vNetworkGatewayOnHub": "[if(equals(steps('network').createAvdVirtualNetwork, true), steps('network').hubVirtualNetworkPeering.hubVirtualNetworkGateway, false)]", "existingVnetAvdSubnetResourceId": "[if(equals(steps('network').createAvdVirtualNetwork, false), steps('network').virtualNetworkAvdSubnetSelectorName, 'no')]", "existingVnetPrivateEndpointSubnetResourceId": "[if(equals(steps('network').createAvdVirtualNetwork, false), steps('network').virtualNetworkPrivateEndpointSubnetSelectorName, 'no')]", + "deployAvdFirewall": "[steps('network').hubVirtualNetworkFirewall.deployAvdFirewall]", + "firewallSubnetAddressPrefix": "[if(equals(steps('network').hubVirtualNetworkFirewall.deployAvdFirewall, true), steps('network').hubVirtualNetworkFirewall.firewallSubnetSize, '10.0.2.0/24')]", "avdDeploySessionHosts": "[steps('sessionHosts').deploySessionHosts]", "avdStartVmOnConnect": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Personal'), steps('managementPlane').managementPlaneHostPoolScaling.startVmOnConnect, false)]", "avdDeployScalingPlan": "[if(equals(steps('managementPlane').managementPlaneHostPoolSettings.hostPoolType, 'Pooled'), steps('managementPlane').managementPlaneHostPoolScaling.scalingPlan, false)]",