From 1ce7fe8513e887814e647c5fbdb359c1f7d84bb7 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 00:29:31 +0200 Subject: [PATCH 1/9] Added CMK etc. to Net-App --- .../.test/nfs41/dependencies.bicep | 45 +++++++++++++++++++ .../.test/nfs41/main.test.bicep | 8 ++++ modules/net-app/net-app-accounts/README.md | 26 +++++++++-- .../net-app-accounts/capacity-pools/README.md | 5 ++- .../capacity-pools/main.bicep | 12 ++++- .../capacity-pools/volumes/main.bicep | 6 +-- modules/net-app/net-app-accounts/main.bicep | 29 +++++++++++- 7 files changed, 120 insertions(+), 11 deletions(-) diff --git a/modules/net-app/net-app-accounts/.test/nfs41/dependencies.bicep b/modules/net-app/net-app-accounts/.test/nfs41/dependencies.bicep index 624322e555..a3f4dbf21c 100644 --- a/modules/net-app/net-app-accounts/.test/nfs41/dependencies.bicep +++ b/modules/net-app/net-app-accounts/.test/nfs41/dependencies.bicep @@ -7,6 +7,9 @@ param virtualNetworkName string @description('Required. The name of the Managed Identity to create.') param managedIdentityName string +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + var addressPrefix = '10.0.0.0/16' resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { @@ -42,6 +45,42 @@ resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018- location: location } +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + @description('The resource ID of the created Virtual Network Subnet.') output subnetResourceId string = virtualNetwork.properties.subnets[0].id @@ -50,3 +89,9 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI @description('The resource ID of the created Managed Identity.') output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created Key Vault encryption key.') +output keyVaultKeyName string = keyVault::key.name diff --git a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep index 2ef7beb8c2..6dbf604d1c 100644 --- a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep @@ -14,6 +14,9 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') param serviceShort string = 'nanaanfs41' +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -37,6 +40,8 @@ module nestedDependencies 'dependencies.bicep' = { params: { virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' } } @@ -148,5 +153,8 @@ module testDeployment '../../main.bicep' = { userAssignedIdentities: { '${nestedDependencies.outputs.managedIdentityResourceId}': {} } + cMKKeyName: nestedDependencies.outputs.keyVaultKeyName + cMKKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + cMKUserAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId } } diff --git a/modules/net-app/net-app-accounts/README.md b/modules/net-app/net-app-accounts/README.md index c665ea0472..af87ea0b99 100644 --- a/modules/net-app/net-app-accounts/README.md +++ b/modules/net-app/net-app-accounts/README.md @@ -16,9 +16,9 @@ This module deploys an Azure NetApp File. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts) | +| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Parameters @@ -28,11 +28,19 @@ This module deploys an Azure NetApp File. | :-- | :-- | :-- | | `name` | string | The name of the NetApp account. | +**Conditional parameters** + +| Parameter Name | Type | Default Value | Description | +| :-- | :-- | :-- | :-- | +| `cMKKeyVaultResourceId` | string | `''` | The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty. | +| `cMKUserAssignedIdentityResourceId` | string | `''` | User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty. | + **Optional parameters** | Parameter Name | Type | Default Value | Allowed Values | Description | | :-- | :-- | :-- | :-- | :-- | | `capacityPools` | _[capacityPools](capacity-pools/README.md)_ array | `[]` | | Capacity pools to create. | +| `cMKKeyName` | string | `''` | | The name of the customer managed key to use for encryption. | | `dnsServers` | string | `''` | | Required if domainName is specified. Comma separated list of DNS server IP addresses (IPv4 only) required for the Active Directory (AD) domain join and SMB authentication operations to succeed. | | `domainJoinOU` | string | `''` | | Used only if domainName is specified. LDAP Path for the Organization Unit (OU) where SMB Server machine accounts will be created (i.e. 'OU=SecondLevel,OU=FirstLevel'). | | `domainJoinPassword` | securestring | `''` | | Required if domainName is specified. Password of the user specified in domainJoinUser parameter. | @@ -561,6 +569,9 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { volumes: [] } ] + cMKKeyName: '' + cMKKeyVaultResourceId: '' + cMKUserAssignedIdentityResourceId: '' enableDefaultTelemetry: '' roleAssignments: [ { @@ -683,6 +694,15 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { } ] }, + "cMKKeyName": { + "value": "" + }, + "cMKKeyVaultResourceId": { + "value": "" + }, + "cMKUserAssignedIdentityResourceId": { + "value": "" + }, "enableDefaultTelemetry": { "value": "" }, diff --git a/modules/net-app/net-app-accounts/capacity-pools/README.md b/modules/net-app/net-app-accounts/capacity-pools/README.md index 9f92243b26..2e7dcafa87 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/README.md +++ b/modules/net-app/net-app-accounts/capacity-pools/README.md @@ -14,8 +14,8 @@ This module deploys an Azure NetApp Files Capacity Pool. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts/capacityPools` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Parameters @@ -38,6 +38,7 @@ This module deploys an Azure NetApp Files Capacity Pool. | :-- | :-- | :-- | :-- | :-- | | `coolAccess` | bool | `False` | | If enabled (true) the pool can contain cool Access enabled volumes. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | +| `encryptionType` | string | `'Double'` | `[Double, Single]` | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | | `location` | string | `[resourceGroup().location]` | | Location of the pool volume. | | `qosType` | string | `'Auto'` | `[Auto, Manual]` | The qos type of the pool. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/modules/net-app/net-app-accounts/capacity-pools/main.bicep b/modules/net-app/net-app-accounts/capacity-pools/main.bicep index ca5e083edd..18e78e662b 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/main.bicep +++ b/modules/net-app/net-app-accounts/capacity-pools/main.bicep @@ -42,6 +42,13 @@ param coolAccess bool = false @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalId\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') param roleAssignments array = [] +@description('Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool.') +@allowed([ + 'Double' + 'Single' +]) +param encryptionType string = 'Double' + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -59,11 +66,11 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-09-01' existing = { +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { name: netAppAccountName } -resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-09-01' = { +resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-11-01' = { name: name parent: netAppAccount location: location @@ -73,6 +80,7 @@ resource capacityPool 'Microsoft.NetApp/netAppAccounts/capacityPools@2022-09-01' size: size qosType: qosType coolAccess: coolAccess + encryptionType: encryptionType } } diff --git a/modules/net-app/net-app-accounts/capacity-pools/volumes/main.bicep b/modules/net-app/net-app-accounts/capacity-pools/volumes/main.bicep index 50001477ae..f6181b6089 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/volumes/main.bicep +++ b/modules/net-app/net-app-accounts/capacity-pools/volumes/main.bicep @@ -56,15 +56,15 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-09-01' existing = { +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' existing = { name: netAppAccountName - resource capacityPool 'capacityPools@2022-05-01' existing = { + resource capacityPool 'capacityPools@2022-11-01' existing = { name: capacityPoolName } } -resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-09-01' = { +resource volume 'Microsoft.NetApp/netAppAccounts/capacityPools/volumes@2022-11-01' = { name: name parent: netAppAccount::capacityPool location: location diff --git a/modules/net-app/net-app-accounts/main.bicep b/modules/net-app/net-app-accounts/main.bicep index 6928441f06..4a5525eef6 100644 --- a/modules/net-app/net-app-accounts/main.bicep +++ b/modules/net-app/net-app-accounts/main.bicep @@ -47,6 +47,15 @@ param lock string = '' @description('Optional. Tags for all resources.') param tags object = {} +@description('Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if \'cMKKeyName\' is not empty.') +param cMKKeyVaultResourceId string = '' + +@description('Optional. The name of the customer managed key to use for encryption.') +param cMKKeyName string = '' + +@description('Conditional. User assigned identity to use when fetching the customer managed key. Required if \'cMKKeyName\' is not empty.') +param cMKUserAssignedIdentityResourceId string = '' + @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true @@ -70,6 +79,11 @@ var identity = identityType != 'None' ? { userAssignedIdentities: !empty(userAssignedIdentities) ? userAssignedIdentities : null } : null +resource cMKKeyVault 'Microsoft.KeyVault/vaults@2021-10-01' existing = if (!empty(cMKKeyVaultResourceId)) { + name: last(split(cMKKeyVaultResourceId, '/'))! + scope: resourceGroup(split(cMKKeyVaultResourceId, '/')[2], split(cMKKeyVaultResourceId, '/')[4]) +} + resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (enableDefaultTelemetry) { name: 'pid-47ed15a6-730a-4827-bcb4-0fd963ffbd82-${uniqueString(deployment().name)}' properties: { @@ -82,13 +96,26 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena } } -resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-09-01' = { +resource netAppAccount 'Microsoft.NetApp/netAppAccounts@2022-11-01' = { name: name tags: tags identity: identity location: location properties: { activeDirectories: !empty(domainName) ? activeDirectoryConnectionProperties : null + encryption: !empty(cMKKeyName) ? { + identity: !empty(cMKUserAssignedIdentityResourceId) ? { + userAssignedIdentity: cMKUserAssignedIdentityResourceId + } : null + keySource: 'Microsoft.KeyVault' + keyVaultProperties: { + keyName: cMKKeyName + keyVaultResourceId: cMKKeyVault.id + keyVaultUri: cMKKeyVault.properties.vaultUri + } + } : { + keySource: 'Microsoft.NetApp' + } } } From 77ee5fa72a0ce553b56bd14f2630d39ea5ee6c33 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 00:32:24 +0200 Subject: [PATCH 2/9] Updated encrpytion default --- modules/net-app/net-app-accounts/capacity-pools/README.md | 2 +- modules/net-app/net-app-accounts/capacity-pools/main.bicep | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/net-app/net-app-accounts/capacity-pools/README.md b/modules/net-app/net-app-accounts/capacity-pools/README.md index 2e7dcafa87..b3e6bfb42f 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/README.md +++ b/modules/net-app/net-app-accounts/capacity-pools/README.md @@ -38,7 +38,7 @@ This module deploys an Azure NetApp Files Capacity Pool. | :-- | :-- | :-- | :-- | :-- | | `coolAccess` | bool | `False` | | If enabled (true) the pool can contain cool Access enabled volumes. | | `enableDefaultTelemetry` | bool | `True` | | Enable telemetry via a Globally Unique Identifier (GUID). | -| `encryptionType` | string | `'Double'` | `[Double, Single]` | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | +| `encryptionType` | string | `'Single'` | `[Double, Single]` | Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool. | | `location` | string | `[resourceGroup().location]` | | Location of the pool volume. | | `qosType` | string | `'Auto'` | `[Auto, Manual]` | The qos type of the pool. | | `roleAssignments` | array | `[]` | | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | diff --git a/modules/net-app/net-app-accounts/capacity-pools/main.bicep b/modules/net-app/net-app-accounts/capacity-pools/main.bicep index 18e78e662b..5cd507c840 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/main.bicep +++ b/modules/net-app/net-app-accounts/capacity-pools/main.bicep @@ -47,7 +47,7 @@ param roleAssignments array = [] 'Double' 'Single' ]) -param encryptionType string = 'Double' +param encryptionType string = 'Single' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From f91b7ec67de0e7dd8130e02577f675ccc43ab69d Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 00:35:20 +0200 Subject: [PATCH 3/9] Updated JSON --- .../net-app-accounts/capacity-pools/main.json | 48 ++++++--- modules/net-app/net-app-accounts/main.json | 97 +++++++++++++------ 2 files changed, 103 insertions(+), 42 deletions(-) diff --git a/modules/net-app/net-app-accounts/capacity-pools/main.json b/modules/net-app/net-app-accounts/capacity-pools/main.json index 1810973d91..0ef41ba698 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/main.json +++ b/modules/net-app/net-app-accounts/capacity-pools/main.json @@ -4,9 +4,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "5582726599079259116" - } + "version": "0.20.4.51522", + "templateHash": "13333372953499047799" + }, + "name": "Azure NetApp Files Capacity Pools", + "description": "This module deploys an Azure NetApp Files Capacity Pool.", + "owner": "Azure/module-maintainers" }, "parameters": { "netAppAccountName": { @@ -86,6 +89,17 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, + "encryptionType": { + "type": "string", + "defaultValue": "Single", + "allowedValues": [ + "Double", + "Single" + ], + "metadata": { + "description": "Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -114,7 +128,7 @@ }, { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -122,7 +136,8 @@ "serviceLevel": "[parameters('serviceLevel')]", "size": "[parameters('size')]", "qosType": "[parameters('qosType')]", - "coolAccess": "[parameters('coolAccess')]" + "coolAccess": "[parameters('coolAccess')]", + "encryptionType": "[parameters('encryptionType')]" } }, { @@ -176,9 +191,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "4861424102878838813" - } + "version": "0.20.4.51522", + "templateHash": "5724175752968001086" + }, + "name": "Azure NetApp Files Capacity Pool Volumes", + "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", + "owner": "Azure/module-maintainers" }, "parameters": { "netAppAccountName": { @@ -284,7 +302,7 @@ }, { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -330,8 +348,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "2805945634543671808" + "version": "0.20.4.51522", + "templateHash": "6579931820257793193" } }, "parameters": { @@ -472,7 +490,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" } } } @@ -515,8 +533,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "3662901243445895322" + "version": "0.20.4.51522", + "templateHash": "6567527079478034080" } }, "parameters": { @@ -657,7 +675,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-11-01', 'full').location]" } } } \ No newline at end of file diff --git a/modules/net-app/net-app-accounts/main.json b/modules/net-app/net-app-accounts/main.json index e429de2b0c..84ec18965e 100644 --- a/modules/net-app/net-app-accounts/main.json +++ b/modules/net-app/net-app-accounts/main.json @@ -4,9 +4,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "417256104056036730" - } + "version": "0.20.4.51522", + "templateHash": "14277016556331634037" + }, + "name": "Azure NetApp Files", + "description": "This module deploys an Azure NetApp File.", + "owner": "Azure/module-maintainers" }, "parameters": { "name": { @@ -88,14 +91,14 @@ "lock": { "type": "string", "defaultValue": "", - "metadata": { - "description": "Optional. Specify the type of lock." - }, "allowedValues": [ "", "CanNotDelete", "ReadOnly" - ] + ], + "metadata": { + "description": "Optional. Specify the type of lock." + } }, "tags": { "type": "object", @@ -104,6 +107,27 @@ "description": "Optional. Tags for all resources." } }, + "cMKKeyVaultResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. The resource ID of a key vault to reference a customer managed key for encryption from. Required if 'cMKKeyName' is not empty." + } + }, + "cMKKeyName": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Optional. The name of the customer managed key to use for encryption." + } + }, + "cMKUserAssignedIdentityResourceId": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Conditional. User assigned identity to use when fetching the customer managed key. Required if 'cMKKeyName' is not empty." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -144,13 +168,14 @@ }, { "type": "Microsoft.NetApp/netAppAccounts", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[parameters('name')]", "tags": "[parameters('tags')]", "identity": "[variables('identity')]", "location": "[parameters('location')]", "properties": { - "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]" + "activeDirectories": "[if(not(empty(parameters('domainName'))), variables('activeDirectoryConnectionProperties'), null())]", + "encryption": "[if(not(empty(parameters('cMKKeyName'))), createObject('identity', if(not(empty(parameters('cMKUserAssignedIdentityResourceId'))), createObject('userAssignedIdentity', parameters('cMKUserAssignedIdentityResourceId')), null()), 'keySource', 'Microsoft.KeyVault', 'keyVaultProperties', createObject('keyName', parameters('cMKKeyName'), 'keyVaultResourceId', extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), 'keyVaultUri', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(parameters('cMKKeyVaultResourceId'), '/')[2], split(parameters('cMKKeyVaultResourceId'), '/')[4]), 'Microsoft.KeyVault/vaults', last(split(parameters('cMKKeyVaultResourceId'), '/'))), '2021-10-01').vaultUri)), createObject('keySource', 'Microsoft.NetApp'))]" } }, { @@ -201,8 +226,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "18126615230901064847" + "version": "0.20.4.51522", + "templateHash": "4042341328592599874" } }, "parameters": { @@ -356,9 +381,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "5582726599079259116" - } + "version": "0.20.4.51522", + "templateHash": "13333372953499047799" + }, + "name": "Azure NetApp Files Capacity Pools", + "description": "This module deploys an Azure NetApp Files Capacity Pool.", + "owner": "Azure/module-maintainers" }, "parameters": { "netAppAccountName": { @@ -438,6 +466,17 @@ "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalId' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } }, + "encryptionType": { + "type": "string", + "defaultValue": "Single", + "allowedValues": [ + "Double", + "Single" + ], + "metadata": { + "description": "Optional. Encryption type of the capacity pool, set encryption type for data at rest for this pool and all volumes in it. This value can only be set when creating new pool." + } + }, "enableDefaultTelemetry": { "type": "bool", "defaultValue": true, @@ -466,7 +505,7 @@ }, { "type": "Microsoft.NetApp/netAppAccounts/capacityPools", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}', parameters('netAppAccountName'), parameters('name'))]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -474,7 +513,8 @@ "serviceLevel": "[parameters('serviceLevel')]", "size": "[parameters('size')]", "qosType": "[parameters('qosType')]", - "coolAccess": "[parameters('coolAccess')]" + "coolAccess": "[parameters('coolAccess')]", + "encryptionType": "[parameters('encryptionType')]" } }, { @@ -528,9 +568,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "4861424102878838813" - } + "version": "0.20.4.51522", + "templateHash": "5724175752968001086" + }, + "name": "Azure NetApp Files Capacity Pool Volumes", + "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", + "owner": "Azure/module-maintainers" }, "parameters": { "netAppAccountName": { @@ -636,7 +679,7 @@ }, { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -682,8 +725,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "2805945634543671808" + "version": "0.20.4.51522", + "templateHash": "6579931820257793193" } }, "parameters": { @@ -824,7 +867,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" } } } @@ -867,8 +910,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "3662901243445895322" + "version": "0.20.4.51522", + "templateHash": "6567527079478034080" } }, "parameters": { @@ -1009,7 +1052,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools', parameters('netAppAccountName'), parameters('name')), '2022-11-01', 'full').location]" } } } @@ -1046,7 +1089,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts', parameters('name')), '2022-11-01', 'full').location]" } } } \ No newline at end of file From 365a92cff6649733caff89b0cf66fbd13a2bcee1 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 08:58:07 +0200 Subject: [PATCH 4/9] Update to latest --- .../net-app/net-app-accounts/capacity-pools/volumes/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-app/net-app-accounts/capacity-pools/volumes/README.md b/modules/net-app/net-app-accounts/capacity-pools/volumes/README.md index 3d3cfe6363..20851da1db 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/volumes/README.md +++ b/modules/net-app/net-app-accounts/capacity-pools/volumes/README.md @@ -14,7 +14,7 @@ This module deploys an Azure NetApp Files Capacity Pool Volume. | Resource Type | API Version | | :-- | :-- | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-09-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | +| `Microsoft.NetApp/netAppAccounts/capacityPools/volumes` | [2022-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.NetApp/netAppAccounts/capacityPools/volumes) | ## Parameters From 13e7466bd293f3049232e0ada5b7f18976fe8ea6 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 10:38:16 +0200 Subject: [PATCH 5/9] Updated json templates --- .../capacity-pools/volumes/main.json | 17 ++++++++++------- 1 file changed, 10 insertions(+), 7 deletions(-) diff --git a/modules/net-app/net-app-accounts/capacity-pools/volumes/main.json b/modules/net-app/net-app-accounts/capacity-pools/volumes/main.json index 3b2587b27d..49b126bd4d 100644 --- a/modules/net-app/net-app-accounts/capacity-pools/volumes/main.json +++ b/modules/net-app/net-app-accounts/capacity-pools/volumes/main.json @@ -4,9 +4,12 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "4861424102878838813" - } + "version": "0.20.4.51522", + "templateHash": "5724175752968001086" + }, + "name": "Azure NetApp Files Capacity Pool Volumes", + "description": "This module deploys an Azure NetApp Files Capacity Pool Volume.", + "owner": "Azure/module-maintainers" }, "parameters": { "netAppAccountName": { @@ -112,7 +115,7 @@ }, { "type": "Microsoft.NetApp/netAppAccounts/capacityPools/volumes", - "apiVersion": "2022-09-01", + "apiVersion": "2022-11-01", "name": "[format('{0}/{1}/{2}', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name'))]", "location": "[parameters('location')]", "properties": { @@ -158,8 +161,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.19.5.34762", - "templateHash": "2805945634543671808" + "version": "0.20.4.51522", + "templateHash": "6579931820257793193" } }, "parameters": { @@ -300,7 +303,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-09-01', 'full').location]" + "value": "[reference(resourceId('Microsoft.NetApp/netAppAccounts/capacityPools/volumes', parameters('netAppAccountName'), parameters('capacityPoolName'), parameters('name')), '2022-11-01', 'full').location]" } } } \ No newline at end of file From 6399ed678f2a443d3aee564d231ae276b93a8ded Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 14:28:56 +0200 Subject: [PATCH 6/9] Extended limit of API versions --- utilities/pipelines/staticValidation/module.tests.ps1 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/utilities/pipelines/staticValidation/module.tests.ps1 b/utilities/pipelines/staticValidation/module.tests.ps1 index 0e0506ea35..0b0d211709 100644 --- a/utilities/pipelines/staticValidation/module.tests.ps1 +++ b/utilities/pipelines/staticValidation/module.tests.ps1 @@ -1643,12 +1643,12 @@ Describe 'API version tests' -Tag 'ApiCheck' { $approvedApiVersions = @() if ($AllowPreviewVersionsInAPITests) { - # We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 3 non-preview + # We allow the latest 5 including previews (in case somebody wants to use preview), or the latest 5 non-preview $approvedApiVersions += $resourceTypeApiVersions | Select-Object -Last 5 - $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -Last 3 + $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -Last 5 } else { # We allow the latest 3 non-preview preview - $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -Last 3 + $approvedApiVersions += $resourceTypeApiVersions | Where-Object { $_ -notlike '*-preview' } | Select-Object -Last 5 } $approvedApiVersions = $approvedApiVersions | Sort-Object -Unique -Descending From 03dfd5d31174cef5f6895d7ea3898f2134f54f7d Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 14:29:45 +0200 Subject: [PATCH 7/9] Shortened test resource name --- modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep index 6dbf604d1c..0a1ad34e7c 100644 --- a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep @@ -12,7 +12,7 @@ param resourceGroupName string = 'ms.netapp.netappaccounts-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nanaanfs41' +param serviceShort string = 'naanfs41' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') From 16abd94c412eb2c13ff348c63088edbabd8beda6 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 17:59:05 +0200 Subject: [PATCH 8/9] Update to latest --- modules/net-app/net-app-accounts/README.md | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/modules/net-app/net-app-accounts/README.md b/modules/net-app/net-app-accounts/README.md index af87ea0b99..3d360b1819 100644 --- a/modules/net-app/net-app-accounts/README.md +++ b/modules/net-app/net-app-accounts/README.md @@ -486,14 +486,14 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { ```bicep module netAppAccounts './net-app/net-app-accounts/main.bicep' = { - name: '${uniqueString(deployment().name, location)}-test-nanaanfs41' + name: '${uniqueString(deployment().name, location)}-test-naanfs41' params: { // Required parameters - name: 'nanaanfs41001' + name: 'naanfs41001' // Non-required parameters capacityPools: [ { - name: 'nanaanfs41-cp-001' + name: 'naanfs41-cp-001' roleAssignments: [ { principalIds: [ @@ -517,7 +517,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { unixReadWrite: true } ] - name: 'nanaanfs41-vol-001' + name: 'naanfs41-vol-001' protocolTypes: [ 'NFSv4.1' ] @@ -544,7 +544,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { unixReadWrite: true } ] - name: 'nanaanfs41-vol-002' + name: 'naanfs41-vol-002' protocolTypes: [ 'NFSv4.1' ] @@ -554,7 +554,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { ] } { - name: 'nanaanfs41-cp-002' + name: 'naanfs41-cp-002' roleAssignments: [ { principalIds: [ @@ -611,13 +611,13 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { "parameters": { // Required parameters "name": { - "value": "nanaanfs41001" + "value": "naanfs41001" }, // Non-required parameters "capacityPools": { "value": [ { - "name": "nanaanfs41-cp-001", + "name": "naanfs41-cp-001", "roleAssignments": [ { "principalIds": [ @@ -641,7 +641,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { "unixReadWrite": true } ], - "name": "nanaanfs41-vol-001", + "name": "naanfs41-vol-001", "protocolTypes": [ "NFSv4.1" ], @@ -668,7 +668,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { "unixReadWrite": true } ], - "name": "nanaanfs41-vol-002", + "name": "naanfs41-vol-002", "protocolTypes": [ "NFSv4.1" ], @@ -678,7 +678,7 @@ module netAppAccounts './net-app/net-app-accounts/main.bicep' = { ] }, { - "name": "nanaanfs41-cp-002", + "name": "naanfs41-cp-002", "roleAssignments": [ { "principalIds": [ From 1dd46da31d74c5dace21d947f67ef5b08d3db816 Mon Sep 17 00:00:00 2001 From: AlexanderSehr Date: Tue, 15 Aug 2023 21:21:06 +0200 Subject: [PATCH 9/9] Shortened test --- modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep index 0a1ad34e7c..c9204d32a5 100644 --- a/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep +++ b/modules/net-app/net-app-accounts/.test/nfs41/main.test.bicep @@ -41,7 +41,7 @@ module nestedDependencies 'dependencies.bicep' = { virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) - keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}' } }