diff --git a/avm/res/network/network-manager/README.md b/avm/res/network/network-manager/README.md index 53356c17ac..1a82404612 100644 --- a/avm/res/network/network-manager/README.md +++ b/avm/res/network/network-manager/README.md @@ -8,6 +8,7 @@ This module deploys a Network Manager. - [Usage examples](#Usage-examples) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) - [Notes](#Notes) - [Data Collection](#Data-Collection) @@ -17,14 +18,17 @@ This module deploys a Network Manager. | :-- | :-- | | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) | | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) | -| `Microsoft.Network/networkManagers` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers) | -| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/connectivityConfigurations) | -| `Microsoft.Network/networkManagers/networkGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/networkGroups) | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/networkGroups/staticMembers) | -| `Microsoft.Network/networkManagers/scopeConnections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/scopeConnections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | +| `Microsoft.Network/networkManagers` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers) | +| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/connectivityConfigurations) | +| `Microsoft.Network/networkManagers/networkGroups` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/networkGroups) | +| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/networkGroups/staticMembers) | +| `Microsoft.Network/networkManagers/routingConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations) | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections/rules) | +| `Microsoft.Network/networkManagers/scopeConnections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/scopeConnections) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | ## Usage examples @@ -53,9 +57,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { params: { // Required parameters name: 'nnmmin001' - networkManagerScopeAccesses: [ - 'Connectivity' - ] networkManagerScopes: { subscriptions: [ '' @@ -83,11 +84,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { "name": { "value": "nnmmin001" }, - "networkManagerScopeAccesses": { - "value": [ - "Connectivity" - ] - }, "networkManagerScopes": { "value": { "subscriptions": [ @@ -115,9 +111,6 @@ using 'br/public:avm/res/network/network-manager:' // Required parameters param name = 'nnmmin001' -param networkManagerScopeAccesses = [ - 'Connectivity' -] param networkManagerScopes = { subscriptions: [ '' @@ -145,10 +138,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { params: { // Required parameters name: '' - networkManagerScopeAccesses: [ - 'Connectivity' - 'SecurityAdmin' - ] networkManagerScopes: { managementGroups: [ '/providers/Microsoft.Management/managementGroups/#_managementGroupId_#' @@ -214,6 +203,7 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { networkGroups: [ { description: 'network-group-spokes description' + memberType: 'VirtualNetwork' name: 'network-group-spokes-1' staticMembers: [ { @@ -227,17 +217,38 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { ] } { + memberType: 'VirtualNetwork' name: 'network-group-spokes-2' staticMembers: [ { - name: 'virtualNetworkSpoke3' + name: 'default' resourceId: '' } ] } { + memberType: 'VirtualNetwork' name: 'network-group-spokes-3' } + { + memberType: 'Subnet' + name: 'network-groups-subnets-1' + staticMembers: [ + { + name: 'virtualNetworkSpoke1-defaultSubnet' + resourceId: '' + } + { + name: 'virtualNetworkSpoke2-defaultSubnet' + resourceId: '' + } + ] + } + ] + networkManagerScopeAccesses: [ + 'Connectivity' + 'Routing' + 'SecurityAdmin' ] roleAssignments: [ { @@ -258,6 +269,62 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { roleDefinitionIdOrName: '' } ] + routingConfigurations: [ + { + description: 'description of the routing config' + name: 'test-routing-config-1' + } + { + name: 'test-routing-config-2' + ruleCollections: [ + { + appliesTo: [ + { + networkGroupResourceId: '' + } + ] + disableBgpRoutePropagation: false + name: 'test-routing-rule-collection-1-subnet' + rules: [ + { + destination: { + destinationAddress: 'AzureCloud' + type: 'ServiceTag' + } + name: 'test-routing-rule-1' + nextHop: { + nextHopType: 'VnetLocal' + } + } + { + destination: { + destinationAddress: '10.10.10.10/32' + type: 'AddressPrefix' + } + name: 'test-routing-rule-2' + nextHop: { + nextHopAddress: '192.168.1.1' + nextHopType: 'VirtualAppliance' + } + } + ] + } + ] + } + { + name: 'test-routing-config-3' + ruleCollections: [ + { + appliesTo: [ + { + networkGroupResourceId: '' + } + ] + name: 'test-routing-rule-collection-2-virtual-network' + } + ] + } + ] scopeConnections: [ { description: 'description of the scope connection' @@ -397,12 +464,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { "name": { "value": "" }, - "networkManagerScopeAccesses": { - "value": [ - "Connectivity", - "SecurityAdmin" - ] - }, "networkManagerScopes": { "value": { "managementGroups": [ @@ -477,6 +538,7 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { "value": [ { "description": "network-group-spokes description", + "memberType": "VirtualNetwork", "name": "network-group-spokes-1", "staticMembers": [ { @@ -490,19 +552,42 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { ] }, { + "memberType": "VirtualNetwork", "name": "network-group-spokes-2", "staticMembers": [ { - "name": "virtualNetworkSpoke3", + "name": "default", "resourceId": "" } ] }, { + "memberType": "VirtualNetwork", "name": "network-group-spokes-3" + }, + { + "memberType": "Subnet", + "name": "network-groups-subnets-1", + "staticMembers": [ + { + "name": "virtualNetworkSpoke1-defaultSubnet", + "resourceId": "" + }, + { + "name": "virtualNetworkSpoke2-defaultSubnet", + "resourceId": "" + } + ] } ] }, + "networkManagerScopeAccesses": { + "value": [ + "Connectivity", + "Routing", + "SecurityAdmin" + ] + }, "roleAssignments": { "value": [ { @@ -524,6 +609,64 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { } ] }, + "routingConfigurations": { + "value": [ + { + "description": "description of the routing config", + "name": "test-routing-config-1" + }, + { + "name": "test-routing-config-2", + "ruleCollections": [ + { + "appliesTo": [ + { + "networkGroupResourceId": "" + } + ], + "disableBgpRoutePropagation": false, + "name": "test-routing-rule-collection-1-subnet", + "rules": [ + { + "destination": { + "destinationAddress": "AzureCloud", + "type": "ServiceTag" + }, + "name": "test-routing-rule-1", + "nextHop": { + "nextHopType": "VnetLocal" + } + }, + { + "destination": { + "destinationAddress": "10.10.10.10/32", + "type": "AddressPrefix" + }, + "name": "test-routing-rule-2", + "nextHop": { + "nextHopAddress": "192.168.1.1", + "nextHopType": "VirtualAppliance" + } + } + ] + } + ] + }, + { + "name": "test-routing-config-3", + "ruleCollections": [ + { + "appliesTo": [ + { + "networkGroupResourceId": "" + } + ], + "name": "test-routing-rule-collection-2-virtual-network" + } + ] + } + ] + }, "scopeConnections": { "value": [ { @@ -665,10 +808,6 @@ using 'br/public:avm/res/network/network-manager:' // Required parameters param name = '' -param networkManagerScopeAccesses = [ - 'Connectivity' - 'SecurityAdmin' -] param networkManagerScopes = { managementGroups: [ '/providers/Microsoft.Management/managementGroups/#_managementGroupId_#' @@ -734,6 +873,7 @@ param lock = { param networkGroups = [ { description: 'network-group-spokes description' + memberType: 'VirtualNetwork' name: 'network-group-spokes-1' staticMembers: [ { @@ -747,17 +887,38 @@ param networkGroups = [ ] } { + memberType: 'VirtualNetwork' name: 'network-group-spokes-2' staticMembers: [ { - name: 'virtualNetworkSpoke3' + name: 'default' resourceId: '' } ] } { + memberType: 'VirtualNetwork' name: 'network-group-spokes-3' } + { + memberType: 'Subnet' + name: 'network-groups-subnets-1' + staticMembers: [ + { + name: 'virtualNetworkSpoke1-defaultSubnet' + resourceId: '' + } + { + name: 'virtualNetworkSpoke2-defaultSubnet' + resourceId: '' + } + ] + } +] +param networkManagerScopeAccesses = [ + 'Connectivity' + 'Routing' + 'SecurityAdmin' ] param roleAssignments = [ { @@ -778,6 +939,62 @@ param roleAssignments = [ roleDefinitionIdOrName: '' } ] +param routingConfigurations = [ + { + description: 'description of the routing config' + name: 'test-routing-config-1' + } + { + name: 'test-routing-config-2' + ruleCollections: [ + { + appliesTo: [ + { + networkGroupResourceId: '' + } + ] + disableBgpRoutePropagation: false + name: 'test-routing-rule-collection-1-subnet' + rules: [ + { + destination: { + destinationAddress: 'AzureCloud' + type: 'ServiceTag' + } + name: 'test-routing-rule-1' + nextHop: { + nextHopType: 'VnetLocal' + } + } + { + destination: { + destinationAddress: '10.10.10.10/32' + type: 'AddressPrefix' + } + name: 'test-routing-rule-2' + nextHop: { + nextHopAddress: '192.168.1.1' + nextHopType: 'VirtualAppliance' + } + } + ] + } + ] + } + { + name: 'test-routing-config-3' + ruleCollections: [ + { + appliesTo: [ + { + networkGroupResourceId: '' + } + ] + name: 'test-routing-rule-collection-2-virtual-network' + } + ] + } +] param scopeConnections = [ { description: 'description of the scope connection' @@ -917,9 +1134,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { params: { // Required parameters name: 'nnmwaf001' - networkManagerScopeAccesses: [ - 'SecurityAdmin' - ] networkManagerScopes: { subscriptions: [ '' @@ -927,6 +1141,9 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { } // Non-required parameters location: '' + networkManagerScopeAccesses: [ + 'SecurityAdmin' + ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -952,11 +1169,6 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { "name": { "value": "nnmwaf001" }, - "networkManagerScopeAccesses": { - "value": [ - "SecurityAdmin" - ] - }, "networkManagerScopes": { "value": { "subscriptions": [ @@ -968,6 +1180,11 @@ module networkManager 'br/public:avm/res/network/network-manager:' = { "location": { "value": "" }, + "networkManagerScopeAccesses": { + "value": [ + "SecurityAdmin" + ] + }, "tags": { "value": { "Environment": "Non-Prod", @@ -991,9 +1208,6 @@ using 'br/public:avm/res/network/network-manager:' // Required parameters param name = 'nnmwaf001' -param networkManagerScopeAccesses = [ - 'SecurityAdmin' -] param networkManagerScopes = { subscriptions: [ '' @@ -1001,6 +1215,9 @@ param networkManagerScopes = { } // Non-required parameters param location = '' +param networkManagerScopeAccesses = [ + 'SecurityAdmin' +] param tags = { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -1018,7 +1235,6 @@ param tags = { | Parameter | Type | Description | | :-- | :-- | :-- | | [`name`](#parameter-name) | string | Name of the Network Manager. | -| [`networkManagerScopeAccesses`](#parameter-networkmanagerscopeaccesses) | array | Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. | | [`networkManagerScopes`](#parameter-networkmanagerscopes) | object | Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. Must contain at least one management group or subscription. | **Conditional parameters** @@ -1036,9 +1252,11 @@ param tags = { | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | +| [`networkManagerScopeAccesses`](#parameter-networkmanagerscopeaccesses) | array | Scope Access (Also known as features). String array containing any of "Connectivity", "SecurityAdmin", or "Routing". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. The routing feature allows you to describe your desired routing behavior and orchestrate user-defined routes (UDRs) to create and maintain the desired routing behavior. If none of the features are required, then this parameter does not need to be specified, which then only enables features like "IPAM" and "Virtual Network Verifier". | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignments to create. | +| [`routingConfigurations`](#parameter-routingconfigurations) | array | Routing Configurations requires enabling the "Routing" feature on Network Manager. A routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules. | | [`scopeConnections`](#parameter-scopeconnections) | array | Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. | -| [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | +| [`securityAdminConfigurations`](#parameter-securityadminconfigurations) | array | Security Admin Configurations requires enabling the "SecurityAdmin" feature on Network Manager. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. | | [`tags`](#parameter-tags) | object | Tags of the resource. | ### Parameter: `name` @@ -1048,20 +1266,6 @@ Name of the Network Manager. - Required: Yes - Type: string -### Parameter: `networkManagerScopeAccesses` - -Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. - -- Required: Yes -- Type: array -- Allowed: - ```Bicep - [ - 'Connectivity' - 'SecurityAdmin' - ] - ``` - ### Parameter: `networkManagerScopes` Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. Must contain at least one management group or subscription. @@ -1108,6 +1312,7 @@ Network Groups and static members to create for the network manager. Required if | Parameter | Type | Description | | :-- | :-- | :-- | | [`description`](#parameter-networkgroupsdescription) | string | A description of the network group. | +| [`memberType`](#parameter-networkgroupsmembertype) | string | The type of the group member. Subnet member type is used for routing configurations. | | [`staticMembers`](#parameter-networkgroupsstaticmembers) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | ### Parameter: `networkGroups.name` @@ -1124,6 +1329,20 @@ A description of the network group. - Required: No - Type: string +### Parameter: `networkGroups.memberType` + +The type of the group member. Subnet member type is used for routing configurations. + +- Required: No +- Type: string +- Allowed: + ```Bicep + [ + 'Subnet' + 'VirtualNetwork' + ] + ``` + ### Parameter: `networkGroups.staticMembers` Static Members to create for the network group. Contains virtual networks to add to the network group. @@ -1368,6 +1587,21 @@ Specify the name of lock. - Required: No - Type: string +### Parameter: `networkManagerScopeAccesses` + +Scope Access (Also known as features). String array containing any of "Connectivity", "SecurityAdmin", or "Routing". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. The routing feature allows you to describe your desired routing behavior and orchestrate user-defined routes (UDRs) to create and maintain the desired routing behavior. If none of the features are required, then this parameter does not need to be specified, which then only enables features like "IPAM" and "Virtual Network Verifier". + +- Required: No +- Type: array +- Allowed: + ```Bicep + [ + 'Connectivity' + 'Routing' + 'SecurityAdmin' + ] + ``` + ### Parameter: `roleAssignments` Array of role assignments to create. @@ -1376,7 +1610,7 @@ Array of role assignments to create. - Type: array - Roles configurable by name: - `'Contributor'` - - `'IPAM Pool Contributor'` + - `'IPAM Pool User'` - `'LocalNGFirewallAdministrator role'` - `'Network Contributor'` - `'Owner'` @@ -1475,6 +1709,216 @@ The principal type of the assigned principal ID. ] ``` +### Parameter: `routingConfigurations` + +Routing Configurations requires enabling the "Routing" feature on Network Manager. A routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-routingconfigurationsname) | string | The name of the routing configuration. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-routingconfigurationsdescription) | string | A description of the routing configuration. | +| [`ruleCollections`](#parameter-routingconfigurationsrulecollections) | array | Rule collections to create for the routing configuration. | + +### Parameter: `routingConfigurations.name` + +The name of the routing configuration. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurations.description` + +A description of the routing configuration. + +- Required: No +- Type: string + +### Parameter: `routingConfigurations.ruleCollections` + +Rule collections to create for the routing configuration. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appliesTo`](#parameter-routingconfigurationsrulecollectionsappliesto) | array | List of network groups for configuration. A routing rule collection must be associated to at least one network group. | +| [`name`](#parameter-routingconfigurationsrulecollectionsname) | string | The name of the rule collection. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-routingconfigurationsrulecollectionsdescription) | string | A description of the rule collection. | +| [`disableBgpRoutePropagation`](#parameter-routingconfigurationsrulecollectionsdisablebgproutepropagation) | bool | Disables BGP route propagation for the rule collection. Defaults to true. | +| [`rules`](#parameter-routingconfigurationsrulecollectionsrules) | array | List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. | + +### Parameter: `routingConfigurations.ruleCollections.appliesTo` + +List of network groups for configuration. A routing rule collection must be associated to at least one network group. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkGroupResourceId`](#parameter-routingconfigurationsrulecollectionsappliestonetworkgroupresourceid) | string | The resource ID of the network group. | + +### Parameter: `routingConfigurations.ruleCollections.appliesTo.networkGroupResourceId` + +The resource ID of the network group. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.name` + +The name of the rule collection. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.description` + +A description of the rule collection. + +- Required: No +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.disableBgpRoutePropagation` + +Disables BGP route propagation for the rule collection. Defaults to true. + +- Required: No +- Type: bool + +### Parameter: `routingConfigurations.ruleCollections.rules` + +List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destination`](#parameter-routingconfigurationsrulecollectionsrulesdestination) | object | The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | +| [`name`](#parameter-routingconfigurationsrulecollectionsrulesname) | string | The name of the rule. | +| [`nextHop`](#parameter-routingconfigurationsrulecollectionsrulesnexthop) | object | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-routingconfigurationsrulecollectionsrulesdescription) | string | A description of the rule. | + +### Parameter: `routingConfigurations.ruleCollections.rules.destination` + +The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destinationAddress`](#parameter-routingconfigurationsrulecollectionsrulesdestinationdestinationaddress) | string | The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. | +| [`type`](#parameter-routingconfigurationsrulecollectionsrulesdestinationtype) | string | The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | + +### Parameter: `routingConfigurations.ruleCollections.rules.destination.destinationAddress` + +The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.rules.destination.type` + +The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'AddressPrefix' + 'ServiceTag' + ] + ``` + +### Parameter: `routingConfigurations.ruleCollections.rules.name` + +The name of the rule. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.rules.nextHop` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopType`](#parameter-routingconfigurationsrulecollectionsrulesnexthopnexthoptype) | string | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopAddress`](#parameter-routingconfigurationsrulecollectionsrulesnexthopnexthopaddress) | string | The IP address of the next hop. Required if the next hop type is VirtualAppliance. | + +### Parameter: `routingConfigurations.ruleCollections.rules.nextHop.nextHopType` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Internet' + 'NoNextHop' + 'VirtualAppliance' + 'VirtualNetworkGateway' + 'VnetLocal' + ] + ``` + +### Parameter: `routingConfigurations.ruleCollections.rules.nextHop.nextHopAddress` + +The IP address of the next hop. Required if the next hop type is VirtualAppliance. + +- Required: No +- Type: string + +### Parameter: `routingConfigurations.ruleCollections.rules.description` + +A description of the rule. + +- Required: No +- Type: string + ### Parameter: `scopeConnections` Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant. @@ -1526,7 +1970,7 @@ A description of the scope connection. ### Parameter: `securityAdminConfigurations` -Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. +Security Admin Configurations requires enabling the "SecurityAdmin" feature on Network Manager. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to. - Required: No - Type: array @@ -1846,6 +2290,14 @@ Tags of the resource. | `resourceGroupName` | string | The resource group the network manager was deployed into. | | `resourceId` | string | The resource ID of the network manager. | +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.4.1` | Remote reference | + ## Notes In order to deploy a Network Manager with the `networkManagerScopes` property set to `managementGroups`, you need to register the `Microsoft.Network` resource provider at the Management Group first ([ref](https://learn.microsoft.com/en-us/rest/api/resources/providers/register-at-management-group-scope)). diff --git a/avm/res/network/network-manager/connectivity-configuration/README.md b/avm/res/network/network-manager/connectivity-configuration/README.md index 9229cc18de..0c72273f9a 100644 --- a/avm/res/network/network-manager/connectivity-configuration/README.md +++ b/avm/res/network/network-manager/connectivity-configuration/README.md @@ -13,7 +13,7 @@ Connectivity configurations define hub-and-spoke or mesh topologies applied to o | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/connectivityConfigurations) | +| `Microsoft.Network/networkManagers/connectivityConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/connectivityConfigurations) | ## Parameters @@ -172,6 +172,7 @@ A description of the connectivity configuration. - Required: No - Type: string +- Default: `''` ### Parameter: `isGlobal` diff --git a/avm/res/network/network-manager/connectivity-configuration/main.bicep b/avm/res/network/network-manager/connectivity-configuration/main.bicep index 72e53eb8e0..ca282ea9a1 100644 --- a/avm/res/network/network-manager/connectivity-configuration/main.bicep +++ b/avm/res/network/network-manager/connectivity-configuration/main.bicep @@ -12,7 +12,7 @@ param name string @maxLength(500) @sys.description('Optional. A description of the connectivity configuration.') -param description string? +param description string = '' @sys.description('Required. Network Groups for the configuration. A connectivity configuration must be associated to at least one network group.') param appliesToGroups appliesToGroupsType @@ -33,11 +33,11 @@ param deleteExistingPeering bool = false @sys.description('Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to "True", a global mesh enables connectivity across regions.') param isGlobal bool = false -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName } -resource connectivityConfiguration 'Microsoft.Network/networkManagers/connectivityConfigurations@2023-11-01' = { +resource connectivityConfiguration 'Microsoft.Network/networkManagers/connectivityConfigurations@2024-05-01' = { name: name parent: networkManager properties: { @@ -49,7 +49,7 @@ resource connectivityConfiguration 'Microsoft.Network/networkManagers/connectivi }) connectivityTopology: connectivityTopology deleteExistingPeering: connectivityTopology == 'HubAndSpoke' ? string(deleteExistingPeering) : 'false' - description: description ?? '' + description: description hubs: connectivityTopology == 'HubAndSpoke' ? hubs : [] isGlobal: string(isGlobal) } @@ -68,6 +68,7 @@ output resourceGroupName string = resourceGroup().name // Definitions // // =============== // +@export() type appliesToGroupsType = { @sys.description('Required. Group connectivity type.') groupConnectivity: ('DirectlyConnected' | 'None') @@ -82,6 +83,7 @@ type appliesToGroupsType = { useHubGateway: bool? }[] +@export() type hubsType = { @sys.description('Required. Resource Id of the hub.') resourceId: string diff --git a/avm/res/network/network-manager/connectivity-configuration/main.json b/avm/res/network/network-manager/connectivity-configuration/main.json index 62a2fe4589..22069b8fff 100644 --- a/avm/res/network/network-manager/connectivity-configuration/main.json +++ b/avm/res/network/network-manager/connectivity-configuration/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "9454472323100733583" + "templateHash": "16461686527041815345" }, "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", + "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -49,6 +49,9 @@ } } } + }, + "metadata": { + "__bicep_export!": true } }, "hubsType": { @@ -73,7 +76,10 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -92,7 +98,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the connectivity configuration." @@ -139,18 +145,18 @@ "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "connectivityConfiguration": { "type": "Microsoft.Network/networkManagers/connectivityConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", "properties": { "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('groupConnectivity', lambdaVariables('group').groupConnectivity, 'isGlobal', coalesce(string(lambdaVariables('group').isGlobal), 'false'), 'networkGroupId', lambdaVariables('group').networkGroupResourceId, 'useHubGateway', coalesce(string(lambdaVariables('group').useHubGateway), 'false'))))]", "connectivityTopology": "[parameters('connectivityTopology')]", "deleteExistingPeering": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), string(parameters('deleteExistingPeering')), 'false')]", - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "hubs": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('hubs'), createArray())]", "isGlobal": "[string(parameters('isGlobal'))]" } diff --git a/avm/res/network/network-manager/main.bicep b/avm/res/network/network-manager/main.bicep index d837037520..7c5c325cf1 100644 --- a/avm/res/network/network-manager/main.bicep +++ b/avm/res/network/network-manager/main.bicep @@ -10,11 +10,13 @@ param name string @sys.description('Optional. Location for all resources.') param location string = resourceGroup().location +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @sys.description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @sys.description('Optional. Array of role assignments to create.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? @sys.description('Optional. Tags of the resource.') param tags object? @@ -23,7 +25,7 @@ param tags object? @sys.description('Optional. A description of the Network Manager.') param description string = '' -@sys.description('Required. Scope Access. String array containing any of "Connectivity", "SecurityAdmin". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs.') +@sys.description('Optional. Scope Access (Also known as features). String array containing any of "Connectivity", "SecurityAdmin", or "Routing". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. The routing feature allows you to describe your desired routing behavior and orchestrate user-defined routes (UDRs) to create and maintain the desired routing behavior. If none of the features are required, then this parameter does not need to be specified, which then only enables features like "IPAM" and "Virtual Network Verifier".') param networkManagerScopeAccesses networkManagerScopeAccessType @sys.description('Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the "Microsoft.Network" resource provider is registered for those Management Groups prior to deployment. Must contain at least one management group or subscription.') @@ -38,15 +40,18 @@ param connectivityConfigurations connectivityConfigurationsType @sys.description('Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant.') param scopeConnections scopeConnectionType -@sys.description('Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to.') +@sys.description('Optional. Security Admin Configurations requires enabling the "SecurityAdmin" feature on Network Manager. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to.') param securityAdminConfigurations securityAdminConfigurationsType +@sys.description('Optional. Routing Configurations requires enabling the "Routing" feature on Network Manager. A routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.') +param routingConfigurations routingConfigurationsType + @sys.description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true var builtInRoleNames = { Contributor: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') - 'IPAM Pool Contributor': subscriptionResourceId( + 'IPAM Pool User': subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions', '7b3e853f-ad5d-4fb5-a7b8-56a3581c7037' ) @@ -104,7 +109,7 @@ resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableT } } -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' = { name: name location: location tags: tags @@ -121,8 +126,9 @@ module networkManager_networkGroups 'network-group/main.bicep' = [ params: { name: networkGroup.name networkManagerName: networkManager.name - description: networkGroup.?description ?? '' + description: networkGroup.?description staticMembers: networkGroup.?staticMembers + memberType: networkGroup.?memberType ?? 'VirtualNetwork' } } ] @@ -133,7 +139,7 @@ module networkManager_connectivityConfigurations 'connectivity-configuration/mai params: { name: connectivityConfiguration.name networkManagerName: networkManager.name - description: connectivityConfiguration.?description ?? '' + description: connectivityConfiguration.?description appliesToGroups: connectivityConfiguration.?appliesToGroups ?? [] connectivityTopology: connectivityConfiguration.connectivityTopology hubs: connectivityConfiguration.?hubs ?? [] @@ -150,7 +156,7 @@ module networkManager_scopeConnections 'scope-connection/main.bicep' = [ params: { name: scopeConnection.name networkManagerName: networkManager.name - description: scopeConnection.?description ?? '' + description: scopeConnection.?description resourceId: scopeConnection.resourceId tenantId: scopeConnection.tenantId } @@ -163,7 +169,7 @@ module networkManager_securityAdminConfigurations 'security-admin-configuration/ params: { name: securityAdminConfiguration.name networkManagerName: networkManager.name - description: securityAdminConfiguration.?description ?? '' + description: securityAdminConfiguration.?description applyOnNetworkIntentPolicyBasedServices: securityAdminConfiguration.applyOnNetworkIntentPolicyBasedServices ruleCollections: securityAdminConfiguration.?ruleCollections ?? [] } @@ -171,6 +177,19 @@ module networkManager_securityAdminConfigurations 'security-admin-configuration/ } ] +module networkManager_routingConfigurations 'routing-configuration/main.bicep' = [ + for (routingConfiguration, index) in routingConfigurations ?? []: { + name: '${uniqueString(deployment().name, location)}-NetworkManager-RoutingConfigurations-${index}' + params: { + name: routingConfiguration.name + networkManagerName: networkManager.name + description: routingConfiguration.?description + ruleCollections: routingConfiguration.?ruleCollections ?? [] + } + dependsOn: networkManager_networkGroups + } +] + resource networkManager_lock 'Microsoft.Authorization/locks@2020-05-01' = if (!empty(lock ?? {}) && lock.?kind != 'None') { name: lock.?name ?? 'lock-${name}' properties: { @@ -214,40 +233,7 @@ output location string = networkManager.location // Definitions // // =============== // -type lockType = { - @sys.description('Optional. Specify the name of lock.') - name: string? - - @sys.description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @sys.description('Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated.') - name: string? - - @sys.description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @sys.description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @sys.description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @sys.description('Optional. The description of the role assignment.') - description: string? - - @sys.description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @sys.description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @sys.description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - +import { staticMembersType } from 'network-group/main.bicep' type networkGroupType = { @sys.description('Required. The name of the network group.') name: string @@ -255,17 +241,14 @@ type networkGroupType = { @sys.description('Optional. A description of the network group.') description: string? - @sys.description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') - staticMembers: { - @sys.description('Required. The name of the static member.') - name: string + @sys.description('Optional. The type of the group member. Subnet member type is used for routing configurations.') + memberType: ('Subnet' | 'VirtualNetwork')? - @sys.description('Required. Resource ID of the virtual network.') - resourceId: string - }[]? + @sys.description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') + staticMembers: staticMembersType? }[]? -type networkManagerScopeAccessType = ('Connectivity' | 'SecurityAdmin')[] +type networkManagerScopeAccessType = ('Connectivity' | 'SecurityAdmin' | 'Routing')[]? type networkManagerScopesType = { @sys.description('Conditional. List of fully qualified IDs of management groups to assign to the network manager to manage. Required if `subscriptions` is not provided. Fully qualified ID format: \'/providers/Microsoft.Management/managementGroups/{managementGroupId}\'.') @@ -289,6 +272,7 @@ type scopeConnectionType = { tenantId: string }[]? +import { appliesToGroupsType, hubsType } from 'connectivity-configuration/main.bicep' type connectivityConfigurationsType = { @sys.description('Required. The name of the connectivity configuration.') name: string @@ -297,31 +281,13 @@ type connectivityConfigurationsType = { description: string? @sys.description('Required. Network Groups for the configuration. A connectivity configuration must be associated to at least one network group.') - appliesToGroups: { - @sys.description('Required. Group connectivity type.') - groupConnectivity: ('DirectlyConnected' | 'None') - - @sys.description('Optional. Flag if global is supported.') - isGlobal: bool? - - @sys.description('Required. Resource Id of the network group.') - networkGroupResourceId: string - - @sys.description('Optional. Flag if use hub gateway.') - useHubGateway: bool? - }[] + appliesToGroups: appliesToGroupsType @sys.description('Required. The connectivity topology to apply the configuration to.') connectivityTopology: ('HubAndSpoke' | 'Mesh') @sys.description('Optional. The hubs to apply the configuration to.') - hubs: { - @sys.description('Required. Resource Id of the hub.') - resourceId: string - - @sys.description('Required. Resource type of the hub.') - resourceType: 'Microsoft.Network/virtualNetworks' - }[]? + hubs: hubsType? @sys.description('Optional. Delete existing peering connections.') deleteExistingPeering: bool? @@ -330,6 +296,7 @@ type connectivityConfigurationsType = { isGlobal: bool? }[]? +import { applyOnNetworkIntentPolicyBasedServicesType, securityAdminConfigurationRuleCollectionType } from 'security-admin-configuration/main.bicep' type securityAdminConfigurationsType = { @sys.description('Required. The name of the security admin configuration.') name: string @@ -338,67 +305,20 @@ type securityAdminConfigurationsType = { description: string? @sys.description('Required. Apply on network intent policy based services.') - applyOnNetworkIntentPolicyBasedServices: ('None' | 'All' | 'AllowRulesOnly')[] + applyOnNetworkIntentPolicyBasedServices: applyOnNetworkIntentPolicyBasedServicesType @sys.description('Optional. Rule collections to create for the security admin configuration.') - ruleCollections: { - @sys.description('Required. The name of the admin rule collection.') - name: string - - @sys.description('Optional. A description of the admin rule collection.') - description: string? - - @sys.description('Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group.') - appliesToGroups: { - @sys.description('Required. The resource ID of the network group.') - networkGroupResourceId: string - }[] - - @sys.description('Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.') - rules: { - @sys.description('Required. The name of the rule.') - name: string - - @sys.description('Required. Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs.') - access: 'Allow' | 'AlwaysAllow' | 'Deny' - - @sys.description('Optional. A description of the rule.') - description: string? - - @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - destinationPortRanges: string[]? - - @sys.description('Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - destinations: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? - - @sys.description('Required. Indicates if the traffic matched against the rule in inbound or outbound.') - direction: 'Inbound' | 'Outbound' - - @minValue(1) - @maxValue(4096) - @sys.description('Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.') - priority: int - - @sys.description('Required. Network protocol this rule applies to.') - protocol: 'Ah' | 'Any' | 'Esp' | 'Icmp' | 'Tcp' | 'Udp' - - @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - sourcePortRanges: string[]? - - @sys.description('Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - sources: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? - }[]? - }[]? + ruleCollections: securityAdminConfigurationRuleCollectionType? +}[]? + +import { routingConfigurationRuleCollectionType } from 'routing-configuration/main.bicep' +type routingConfigurationsType = { + @sys.description('Required. The name of the routing configuration.') + name: string + + @sys.description('Optional. A description of the routing configuration.') + description: string? + + @sys.description('Optional. Rule collections to create for the routing configuration.') + ruleCollections: routingConfigurationRuleCollectionType? }[]? diff --git a/avm/res/network/network-manager/main.json b/avm/res/network/network-manager/main.json index f0c9304890..4cf4808e6f 100644 --- a/avm/res/network/network-manager/main.json +++ b/avm/res/network/network-manager/main.json @@ -6,148 +6,44 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "2327598248014825071" + "templateHash": "9673572396035328828" }, "name": "Network Managers", "description": "This module deploys a Network Manager.", "owner": "Azure/module-maintainers" }, "definitions": { - "lockType": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify the name of lock." - } - }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, - "metadata": { - "description": "Optional. Specify the type of lock." - } - } - }, - "nullable": true - }, - "roleAssignmentType": { + "networkGroupType": { "type": "array", "items": { "type": "object", "properties": { "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." - } - }, - "roleDefinitionIdOrName": { "type": "string", "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." + "description": "Required. The name of the network group." } }, "description": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + "description": "Optional. A description of the network group." } }, - "conditionVersion": { + "memberType": { "type": "string", "allowedValues": [ - "2.0" + "Subnet", + "VirtualNetwork" ], "nullable": true, "metadata": { - "description": "Optional. Version of the condition." - } - }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } - } - } - }, - "nullable": true - }, - "networkGroupType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the network group." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A description of the network group." + "description": "Optional. The type of the group member. Subnet member type is used for routing configurations." } }, "staticMembers": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - } - } - }, + "$ref": "#/definitions/staticMembersType", "nullable": true, "metadata": { "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." @@ -161,8 +57,10 @@ "type": "array", "allowedValues": [ "Connectivity", + "Routing", "SecurityAdmin" - ] + ], + "nullable": true }, "networkManagerScopesType": { "type": "object", @@ -242,42 +140,7 @@ } }, "appliesToGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "groupConnectivity": { - "type": "string", - "allowedValues": [ - "DirectlyConnected", - "None" - ], - "metadata": { - "description": "Required. Group connectivity type." - } - }, - "isGlobal": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Flag if global is supported." - } - }, - "networkGroupResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource Id of the network group." - } - }, - "useHubGateway": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Flag if use hub gateway." - } - } - } - }, + "$ref": "#/definitions/appliesToGroupsType", "metadata": { "description": "Required. Network Groups for the configuration. A connectivity configuration must be associated to at least one network group." } @@ -293,27 +156,7 @@ } }, "hubs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource Id of the hub." - } - }, - "resourceType": { - "type": "string", - "allowedValues": [ - "Microsoft.Network/virtualNetworks" - ], - "metadata": { - "description": "Required. Resource type of the hub." - } - } - } - }, + "$ref": "#/definitions/hubsType", "nullable": true, "metadata": { "description": "Optional. The hubs to apply the configuration to." @@ -356,197 +199,13 @@ } }, "applyOnNetworkIntentPolicyBasedServices": { - "type": "array", - "allowedValues": [ - "All", - "AllowRulesOnly", - "None" - ], + "$ref": "#/definitions/applyOnNetworkIntentPolicyBasedServicesType", "metadata": { "description": "Required. Apply on network intent policy based services." } }, "ruleCollections": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the admin rule collection." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A description of the admin rule collection." - } - }, - "appliesToGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "networkGroupResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the network group." - } - } - } - }, - "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." - } - }, - "rules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." - } - } - } - }, + "$ref": "#/definitions/securityAdminConfigurationRuleCollectionType", "nullable": true, "metadata": { "description": "Optional. Rule collections to create for the security admin configuration." @@ -555,643 +214,2495 @@ } }, "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "minLength": 1, - "maxLength": 64, - "metadata": { - "description": "Required. Name of the Network Manager." - } }, - "location": { - "type": "string", - "defaultValue": "[resourceGroup().location]", - "metadata": { - "description": "Optional. Location for all resources." - } + "routingConfigurationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the routing configuration." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the routing configuration." + } + }, + "ruleCollections": { + "$ref": "#/definitions/routingConfigurationRuleCollectionType", + "nullable": true, + "metadata": { + "description": "Optional. Rule collections to create for the routing configuration." + } + } + } + }, + "nullable": true }, - "lock": { - "$ref": "#/definitions/lockType", + "_1.appliesToType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, "metadata": { - "description": "Optional. The lock settings of the service." + "__bicep_imported_from!": { + "sourceTemplate": "routing-configuration/rule-collection/main.bicep" + } } }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "_1.rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/_2.destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/_2.nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + } + }, + "nullable": true, "metadata": { - "description": "Optional. Array of role assignments to create." + "__bicep_imported_from!": { + "sourceTemplate": "routing-configuration/rule-collection/main.bicep" + } } }, - "tags": { + "_2.destinationType": { "type": "object", - "nullable": true, + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, "metadata": { - "description": "Optional. Tags of the resource." + "__bicep_imported_from!": { + "sourceTemplate": "routing-configuration/rule-collection/rule/main.bicep" + } } }, - "description": { - "type": "string", - "defaultValue": "", - "maxLength": 500, + "_2.nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, "metadata": { - "description": "Optional. A description of the Network Manager." + "__bicep_imported_from!": { + "sourceTemplate": "routing-configuration/rule-collection/rule/main.bicep" + } } }, - "networkManagerScopeAccesses": { - "$ref": "#/definitions/networkManagerScopeAccessType", + "_3.appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, "metadata": { - "description": "Required. Scope Access. String array containing any of \"Connectivity\", \"SecurityAdmin\". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/main.bicep" + } } }, - "networkManagerScopes": { - "$ref": "#/definitions/networkManagerScopesType", + "_3.rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "access": { + "type": "string", + "allowedValues": [ + "Allow", + "AlwaysAllow", + "Deny" + ], + "metadata": { + "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destinationPortRanges": { + "$ref": "#/definitions/_4.destinationPortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "destinations": { + "$ref": "#/definitions/_4.destinationsType", + "nullable": true, + "metadata": { + "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." + } + }, + "priority": { + "type": "int", + "minValue": 1, + "maxValue": 4096, + "metadata": { + "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." + } + }, + "protocol": { + "type": "string", + "allowedValues": [ + "Ah", + "Any", + "Esp", + "Icmp", + "Tcp", + "Udp" + ], + "metadata": { + "description": "Required. Network protocol this rule applies to." + } + }, + "sourcePortRanges": { + "$ref": "#/definitions/_4.sourcePortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "sources": { + "$ref": "#/definitions/_4.sourcesType", + "nullable": true, + "metadata": { + "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + } + } + }, + "nullable": true, "metadata": { - "description": "Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the \"Microsoft.Network\" resource provider is registered for those Management Groups prior to deployment. Must contain at least one management group or subscription." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/main.bicep" + } } }, - "networkGroups": { - "$ref": "#/definitions/networkGroupType", + "_4.destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, "metadata": { - "description": "Conditional. Network Groups and static members to create for the network manager. Required if using \"connectivityConfigurations\" or \"securityAdminConfigurations\" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/rule/main.bicep" + } } }, - "connectivityConfigurations": { - "$ref": "#/definitions/connectivityConfigurationsType", + "_4.destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, "metadata": { - "description": "Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/rule/main.bicep" + } } }, - "scopeConnections": { - "$ref": "#/definitions/scopeConnectionType", + "_4.sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, "metadata": { - "description": "Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/rule/main.bicep" + } } }, - "securityAdminConfigurations": { - "$ref": "#/definitions/securityAdminConfigurationsType", + "_4.sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, "metadata": { - "description": "Optional. Security Admin Configurations, Rule Collections and Rules to create for the network manager. Azure Virtual Network Manager provides two different types of configurations you can deploy across your virtual networks, one of them being a SecurityAdmin configuration. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to." + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/rule-collection/rule/main.bicep" + } } }, - "enableTelemetry": { - "type": "bool", - "defaultValue": true, + "appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "groupConnectivity": { + "type": "string", + "allowedValues": [ + "DirectlyConnected", + "None" + ], + "metadata": { + "description": "Required. Group connectivity type." + } + }, + "isGlobal": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Flag if global is supported." + } + }, + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource Id of the network group." + } + }, + "useHubGateway": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Flag if use hub gateway." + } + } + } + }, "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "__bicep_imported_from!": { + "sourceTemplate": "connectivity-configuration/main.bicep" + } } - } - }, - "variables": { - "copy": [ - { - "name": "formattedRoleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", - "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + }, + "applyOnNetworkIntentPolicyBasedServicesType": { + "type": "array", + "allowedValues": [ + "All", + "AllowRulesOnly", + "None" + ], + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/main.bicep" + } } - ], - "builtInRoleNames": { - "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", - "IPAM Pool Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b3e853f-ad5d-4fb5-a7b8-56a3581c7037')]", - "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", - "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", - "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", - "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", - "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", - "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" - } - }, - "resources": { - "avmTelemetry": { - "condition": "[parameters('enableTelemetry')]", - "type": "Microsoft.Resources/deployments", - "apiVersion": "2024-03-01", - "name": "[format('46d3xbcp.res.network-networkmanager.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", - "properties": { - "mode": "Incremental", - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "resources": [], - "outputs": { - "telemetry": { - "type": "String", - "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + }, + "hubsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource Id of the hub." + } + }, + "resourceType": { + "type": "string", + "allowedValues": [ + "Microsoft.Network/virtualNetworks" + ], + "metadata": { + "description": "Required. Resource type of the hub." } } } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "connectivity-configuration/main.bicep" + } } }, - "networkManager": { - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "name": "[parameters('name')]", - "location": "[parameters('location')]", - "tags": "[parameters('tags')]", - "properties": { - "description": "[parameters('description')]", - "networkManagerScopeAccesses": "[parameters('networkManagerScopeAccesses')]", - "networkManagerScopes": "[parameters('networkManagerScopes')]" - } - }, - "networkManager_lock": { - "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", - "type": "Microsoft.Authorization/locks", - "apiVersion": "2020-05-01", - "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "lockType": { + "type": "object", "properties": { - "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", - "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } }, - "dependsOn": [ - "networkManager" - ] + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } }, - "networkManager_roleAssignments": { - "copy": { - "name": "networkManager_roleAssignments", - "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" - }, - "type": "Microsoft.Authorization/roleAssignments", - "apiVersion": "2022-04-01", - "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", - "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "roleAssignmentType": { + "type": "object", "properties": { - "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", - "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." + } + } }, - "dependsOn": [ - "networkManager" - ] + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } }, - "networkManager_networkGroups": { - "copy": { - "name": "networkManager_networkGroups", - "count": "[length(coalesce(parameters('networkGroups'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-NetworkGroups-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { + "routingConfigurationRuleCollectionType": { + "type": "array", + "items": { + "type": "object", + "properties": { "name": { - "value": "[coalesce(parameters('networkGroups'), createArray())[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection." + } }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('networkGroups'), createArray())[copyIndex()], 'description'), '')]" + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule collection." + } }, - "staticMembers": { - "value": "[tryGet(coalesce(parameters('networkGroups'), createArray())[copyIndex()], 'staticMembers')]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "8871976301945912789" - }, - "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", - "owner": "Azure/module-maintainers" + "appliesTo": { + "$ref": "#/definitions/_1.appliesToType", + "metadata": { + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } }, - "definitions": { - "staticMembersType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - } - } - }, - "nullable": true + "disableBgpRoutePropagation": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Disables BGP route propagation for the rule collection. Defaults to true." } }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the network group." - } - }, - "description": { - "type": "string", - "nullable": true, - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the network group." - } - }, - "staticMembers": { - "$ref": "#/definitions/staticMembersType", - "metadata": { - "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." - } + "rules": { + "$ref": "#/definitions/_1.rulesType", + "nullable": true, + "metadata": { + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "routing-configuration/main.bicep" + } + } + }, + "securityAdminConfigurationRuleCollectionType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the admin rule collection." } }, - "resources": { - "networkManager": { - "existing": true, - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "name": "[parameters('networkManagerName')]" - }, - "networkGroup": { - "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[coalesce(parameters('description'), '')]" - } - }, - "networkGroup_staticMembers": { - "copy": { - "name": "networkGroup_staticMembers", - "count": "[length(coalesce(parameters('staticMembers'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkGroup-StaticMembers-{1}', uniqueString(deployment().name), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "networkManagerName": { - "value": "[parameters('networkManagerName')]" - }, - "networkGroupName": { - "value": "[parameters('name')]" - }, - "name": { - "value": "[coalesce(parameters('staticMembers'), createArray())[copyIndex()].name]" - }, - "resourceId": { - "value": "[coalesce(parameters('staticMembers'), createArray())[copyIndex()].resourceId]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "17179520824104313247" - }, - "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "networkGroupName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network group. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the static member." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the virtual network." - } - } - }, - "resources": [ - { - "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", - "properties": { - "resourceId": "[parameters('resourceId')]" - } - } - ], - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed static member." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed static member." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups/staticMembers', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the static member was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkGroup" - ] + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the admin rule collection." } }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed network group." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed network group." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the network group was deployed into." - }, - "value": "[resourceGroup().name]" + "appliesToGroups": { + "$ref": "#/definitions/_3.appliesToGroupsType", + "metadata": { + "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." + } + }, + "rules": { + "$ref": "#/definitions/_3.rulesType", + "nullable": true, + "metadata": { + "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." } } } }, - "dependsOn": [ - "networkManager" - ] + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "security-admin-configuration/main.bicep" + } + } }, - "networkManager_connectivityConfigurations": { - "copy": { - "name": "networkManager_connectivityConfigurations", - "count": "[length(coalesce(parameters('connectivityConfigurations'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-ConnectivityConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { + "staticMembersType": { + "type": "array", + "items": { + "type": "object", + "properties": { "name": { - "value": "[coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": { - "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'description'), '')]" - }, - "appliesToGroups": { - "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'appliesToGroups'), createArray())]" - }, - "connectivityTopology": { - "value": "[coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()].connectivityTopology]" - }, - "hubs": { - "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'hubs'), createArray())]" - }, - "deleteExistingPeering": { - "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'deleteExistingPeering'), false())]" + "type": "string", + "metadata": { + "description": "Required. The name of the static member." + } }, - "isGlobal": { - "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'isGlobal'), false())]" + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the virtual network." + } } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "9454472323100733583" - }, - "name": "Network Manager Connectivity Configurations", - "description": "This module deploys a Network Manager Connectivity Configuration.\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "appliesToGroupsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "groupConnectivity": { - "type": "string", - "allowedValues": [ - "DirectlyConnected", - "None" - ], - "metadata": { - "description": "Required. Group connectivity type." - } - }, - "isGlobal": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Flag if global is supported." - } - }, - "networkGroupResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource Id of the network group." - } - }, - "useHubGateway": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Flag if use hub gateway." - } - } - } - } - }, - "hubsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource Id of the hub." - } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "network-group/main.bicep" + } + } + } + }, + "parameters": { + "name": { + "type": "string", + "minLength": 1, + "maxLength": 64, + "metadata": { + "description": "Required. Name of the Network Manager." + } + }, + "location": { + "type": "string", + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Optional. Location for all resources." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. The lock settings of the service." + } + }, + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags of the resource." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the Network Manager." + } + }, + "networkManagerScopeAccesses": { + "$ref": "#/definitions/networkManagerScopeAccessType", + "metadata": { + "description": "Optional. Scope Access (Also known as features). String array containing any of \"Connectivity\", \"SecurityAdmin\", or \"Routing\". The connectivity feature allows you to create network topologies at scale. The security admin feature lets you create high-priority security rules, which take precedence over NSGs. The routing feature allows you to describe your desired routing behavior and orchestrate user-defined routes (UDRs) to create and maintain the desired routing behavior. If none of the features are required, then this parameter does not need to be specified, which then only enables features like \"IPAM\" and \"Virtual Network Verifier\"." + } + }, + "networkManagerScopes": { + "$ref": "#/definitions/networkManagerScopesType", + "metadata": { + "description": "Required. Scope of Network Manager. Contains a list of management groups or a list of subscriptions. This defines the boundary of network resources that this Network Manager instance can manage. If using Management Groups, ensure that the \"Microsoft.Network\" resource provider is registered for those Management Groups prior to deployment. Must contain at least one management group or subscription." + } + }, + "networkGroups": { + "$ref": "#/definitions/networkGroupType", + "metadata": { + "description": "Conditional. Network Groups and static members to create for the network manager. Required if using \"connectivityConfigurations\" or \"securityAdminConfigurations\" parameters. A network group is global container that includes a set of virtual network resources from any region. Then, configurations are applied to target the network group, which applies the configuration to all members of the group. The two types are group memberships are static and dynamic memberships. Static membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks, and is available as a child module, while dynamic membership is defined through Azure policy. See [How Azure Policy works with Network Groups](https://learn.microsoft.com/en-us/azure/virtual-network-manager/concept-azure-policy-integration) for more details." + } + }, + "connectivityConfigurations": { + "$ref": "#/definitions/connectivityConfigurationsType", + "metadata": { + "description": "Optional. Connectivity Configurations to create for the network manager. Network manager must contain at least one network group in order to define connectivity configurations." + } + }, + "scopeConnections": { + "$ref": "#/definitions/scopeConnectionType", + "metadata": { + "description": "Optional. Scope Connections to create for the network manager. Allows network manager to manage resources from another tenant. Supports management groups or subscriptions from another tenant." + } + }, + "securityAdminConfigurations": { + "$ref": "#/definitions/securityAdminConfigurationsType", + "metadata": { + "description": "Optional. Security Admin Configurations requires enabling the \"SecurityAdmin\" feature on Network Manager. A security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. You then associate the rule collection with the network groups that you want to apply the security admin rules to." + } + }, + "routingConfigurations": { + "$ref": "#/definitions/routingConfigurationsType", + "metadata": { + "description": "Optional. Routing Configurations requires enabling the \"Routing\" feature on Network Manager. A routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules." + } + }, + "enableTelemetry": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + } + }, + "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], + "builtInRoleNames": { + "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", + "IPAM Pool User": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '7b3e853f-ad5d-4fb5-a7b8-56a3581c7037')]", + "LocalNGFirewallAdministrator role": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'a8835c7d-b5cb-47fa-b6f0-65ea10ce07a2')]", + "Network Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '4d97b98b-1d4f-4787-a291-c67834d212e7')]", + "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", + "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", + "Resource Policy Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '36243c78-bf99-498c-9df9-86d9f8d28608')]", + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]", + "User Access Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '18d7d88d-d35e-4fb5-a5c3-7773c20a72d9')]" + } + }, + "resources": { + "avmTelemetry": { + "condition": "[parameters('enableTelemetry')]", + "type": "Microsoft.Resources/deployments", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-networkmanager.{0}.{1}', replace('-..--..-', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "properties": { + "mode": "Incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "resources": [], + "outputs": { + "telemetry": { + "type": "String", + "value": "For more information, see https://aka.ms/avm/TelemetryInfo" + } + } + } + } + }, + "networkManager": { + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('name')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "properties": { + "description": "[parameters('description')]", + "networkManagerScopeAccesses": "[parameters('networkManagerScopeAccesses')]", + "networkManagerScopes": "[parameters('networkManagerScopes')]" + } + }, + "networkManager_lock": { + "condition": "[and(not(empty(coalesce(parameters('lock'), createObject()))), not(equals(tryGet(parameters('lock'), 'kind'), 'None')))]", + "type": "Microsoft.Authorization/locks", + "apiVersion": "2020-05-01", + "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(parameters('lock'), 'name'), format('lock-{0}', parameters('name')))]", + "properties": { + "level": "[coalesce(tryGet(parameters('lock'), 'kind'), '')]", + "notes": "[if(equals(tryGet(parameters('lock'), 'kind'), 'CanNotDelete'), 'Cannot delete resource or child resources.', 'Cannot delete or modify the resource or child resources.')]" + }, + "dependsOn": [ + "networkManager" + ] + }, + "networkManager_roleAssignments": { + "copy": { + "name": "networkManager_roleAssignments", + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" + }, + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.Network/networkManagers/{0}', parameters('name'))]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/networkManagers', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", + "properties": { + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + }, + "dependsOn": [ + "networkManager" + ] + }, + "networkManager_networkGroups": { + "copy": { + "name": "networkManager_networkGroups", + "count": "[length(coalesce(parameters('networkGroups'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkManager-NetworkGroups-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('networkGroups'), createArray())[copyIndex()].name]" + }, + "networkManagerName": { + "value": "[parameters('name')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('networkGroups'), createArray())[copyIndex()], 'description')]" + }, + "staticMembers": { + "value": "[tryGet(coalesce(parameters('networkGroups'), createArray())[copyIndex()], 'staticMembers')]" + }, + "memberType": { + "value": "[coalesce(tryGet(coalesce(parameters('networkGroups'), createArray())[copyIndex()], 'memberType'), 'VirtualNetwork')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "12405776367730933548" + }, + "name": "Network Manager Network Groups", + "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "staticMembersType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the static member." + } }, - "resourceType": { + "resourceId": { "type": "string", - "allowedValues": [ - "Microsoft.Network/virtualNetworks" - ], "metadata": { - "description": "Required. Resource type of the hub." + "description": "Required. Resource ID of the virtual network." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the network group." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the network group." + } + }, + "memberType": { + "type": "string", + "defaultValue": "VirtualNetwork", + "allowedValues": [ + "Subnet", + "VirtualNetwork" + ], + "metadata": { + "description": "Optional. The type of the group member. Subnet member type is used for routing configurations." + } + }, + "staticMembers": { + "$ref": "#/definitions/staticMembersType", + "metadata": { + "description": "Optional. Static Members to create for the network group. Contains virtual networks to add to the network group." + } + } + }, + "resources": { + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "networkGroup": { + "type": "Microsoft.Network/networkManagers/networkGroups", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "memberType": "[parameters('memberType')]" + } + }, + "networkGroup_staticMembers": { + "copy": { + "name": "networkGroup_staticMembers", + "count": "[length(coalesce(parameters('staticMembers'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkGroup-StaticMembers-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "networkGroupName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('staticMembers'), createArray())[copyIndex()].name]" + }, + "resourceId": { + "value": "[coalesce(parameters('staticMembers'), createArray())[copyIndex()].resourceId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "10207263536223853430" + }, + "name": "Network Manager Network Group Static Members", + "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "networkGroupName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network group. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the static member." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the virtual network." + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", + "properties": { + "resourceId": "[parameters('resourceId')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed static member." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed static member." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups/staticMembers', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the static member was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "networkGroup" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed network group." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed network group." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/networkGroups', parameters('networkManagerName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the network group was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "networkManager" + ] + }, + "networkManager_connectivityConfigurations": { + "copy": { + "name": "networkManager_connectivityConfigurations", + "count": "[length(coalesce(parameters('connectivityConfigurations'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkManager-ConnectivityConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()].name]" + }, + "networkManagerName": { + "value": "[parameters('name')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'description')]" + }, + "appliesToGroups": { + "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'appliesToGroups'), createArray())]" + }, + "connectivityTopology": { + "value": "[coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()].connectivityTopology]" + }, + "hubs": { + "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'hubs'), createArray())]" + }, + "deleteExistingPeering": { + "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'deleteExistingPeering'), false())]" + }, + "isGlobal": { + "value": "[coalesce(tryGet(coalesce(parameters('connectivityConfigurations'), createArray())[copyIndex()], 'isGlobal'), false())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "16461686527041815345" + }, + "name": "Network Manager Connectivity Configurations", + "description": "This module deploys a Network Manager Connectivity Configuration.\r\nConnectivity configurations define hub-and-spoke or mesh topologies applied to one or more network groups.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "groupConnectivity": { + "type": "string", + "allowedValues": [ + "DirectlyConnected", + "None" + ], + "metadata": { + "description": "Required. Group connectivity type." + } + }, + "isGlobal": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Flag if global is supported." + } + }, + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource Id of the network group." + } + }, + "useHubGateway": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Flag if use hub gateway." + } + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "hubsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource Id of the hub." + } + }, + "resourceType": { + "type": "string", + "allowedValues": [ + "Microsoft.Network/virtualNetworks" + ], + "metadata": { + "description": "Required. Resource type of the hub." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the connectivity configuration." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the connectivity configuration." + } + }, + "appliesToGroups": { + "$ref": "#/definitions/appliesToGroupsType", + "metadata": { + "description": "Required. Network Groups for the configuration. A connectivity configuration must be associated to at least one network group." + } + }, + "connectivityTopology": { + "type": "string", + "allowedValues": [ + "HubAndSpoke", + "Mesh" + ], + "metadata": { + "description": "Required. Connectivity topology type." + } + }, + "hubs": { + "$ref": "#/definitions/hubsType", + "metadata": { + "description": "Conditional. List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type \"HubAndSpoke\"." + } + }, + "deleteExistingPeering": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Flag if need to remove current existing peerings. If set to \"True\", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type \"HubAndSpoke\"." + } + }, + "isGlobal": { + "type": "bool", + "defaultValue": false, + "metadata": { + "description": "Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to \"True\", a global mesh enables connectivity across regions." + } + } + }, + "resources": { + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "connectivityConfiguration": { + "type": "Microsoft.Network/networkManagers/connectivityConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", + "properties": { + "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('groupConnectivity', lambdaVariables('group').groupConnectivity, 'isGlobal', coalesce(string(lambdaVariables('group').isGlobal), 'false'), 'networkGroupId', lambdaVariables('group').networkGroupResourceId, 'useHubGateway', coalesce(string(lambdaVariables('group').useHubGateway), 'false'))))]", + "connectivityTopology": "[parameters('connectivityTopology')]", + "deleteExistingPeering": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), string(parameters('deleteExistingPeering')), 'false')]", + "description": "[parameters('description')]", + "hubs": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('hubs'), createArray())]", + "isGlobal": "[string(parameters('isGlobal'))]" + } + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed connectivity configuration." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed connectivity configuration." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/connectivityConfigurations', parameters('networkManagerName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the connectivity configuration was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "networkManager", + "networkManager_networkGroups" + ] + }, + "networkManager_scopeConnections": { + "copy": { + "name": "networkManager_scopeConnections", + "count": "[length(coalesce(parameters('scopeConnections'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkManager-ScopeConnections-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].name]" + }, + "networkManagerName": { + "value": "[parameters('name')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('scopeConnections'), createArray())[copyIndex()], 'description')]" + }, + "resourceId": { + "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].resourceId]" + }, + "tenantId": { + "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].tenantId]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "9741647790841164162" + }, + "name": "Network Manager Scope Connections", + "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", + "owner": "Azure/module-maintainers" + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the scope connection." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the scope connection." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "Required. Enter the subscription or management group resource ID that you want to add to this network manager's scope." + } + }, + "tenantId": { + "type": "string", + "metadata": { + "description": "Required. Tenant ID of the subscription or management group that you want to manage." + } + } + }, + "resources": [ + { + "type": "Microsoft.Network/networkManagers/scopeConnections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "resourceId": "[parameters('resourceId')]", + "tenantId": "[parameters('tenantId')]" + } + } + ], + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed scope connection." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed scope connection." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/scopeConnections', parameters('networkManagerName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the scope connection was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "networkManager" + ] + }, + "networkManager_securityAdminConfigurations": { + "copy": { + "name": "networkManager_securityAdminConfigurations", + "count": "[length(coalesce(parameters('securityAdminConfigurations'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-NetworkManager-SecurityAdminConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "name": { + "value": "[coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()].name]" + }, + "networkManagerName": { + "value": "[parameters('name')]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()], 'description')]" + }, + "applyOnNetworkIntentPolicyBasedServices": { + "value": "[coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()].applyOnNetworkIntentPolicyBasedServices]" + }, + "ruleCollections": { + "value": "[coalesce(tryGet(coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()], 'ruleCollections'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "12859267430568475361" + }, + "name": "Network Manager Security Admin Configurations", + "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "applyOnNetworkIntentPolicyBasedServicesType": { + "type": "array", + "allowedValues": [ + "All", + "AllowRulesOnly", + "None" + ], + "metadata": { + "__bicep_export!": true + } + }, + "securityAdminConfigurationRuleCollectionType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the admin rule collection." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the admin rule collection." + } + }, + "appliesToGroups": { + "$ref": "#/definitions/appliesToGroupsType", + "metadata": { + "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "nullable": true, + "metadata": { + "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "_1.destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "access": { + "type": "string", + "allowedValues": [ + "Allow", + "AlwaysAllow", + "Deny" + ], + "metadata": { + "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destinationPortRanges": { + "$ref": "#/definitions/_1.destinationPortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "destinations": { + "$ref": "#/definitions/_1.destinationsType", + "nullable": true, + "metadata": { + "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." + } + }, + "priority": { + "type": "int", + "minValue": 1, + "maxValue": 4096, + "metadata": { + "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." + } + }, + "protocol": { + "type": "string", + "allowedValues": [ + "Ah", + "Any", + "Esp", + "Icmp", + "Tcp", + "Udp" + ], + "metadata": { + "description": "Required. Network protocol this rule applies to." + } + }, + "sourcePortRanges": { + "$ref": "#/definitions/_1.sourcePortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "sources": { + "$ref": "#/definitions/_1.sourcesType", + "nullable": true, + "metadata": { + "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the security admin configuration." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the security admin configuration." + } + }, + "applyOnNetworkIntentPolicyBasedServices": { + "$ref": "#/definitions/applyOnNetworkIntentPolicyBasedServicesType", + "metadata": { + "description": "Required. Enum list of network intent policy based services." + } + }, + "networkGroupAddressSpaceAggregationOption": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "Manual" + ], + "metadata": { + "description": "Optional. Determine update behavior for changes to network groups referenced within the rules in this configuration." + } + }, + "ruleCollections": { + "$ref": "#/definitions/securityAdminConfigurationRuleCollectionType", + "metadata": { + "description": "Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules." + } + } + }, + "resources": { + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "securityAdminConfigurations": { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]", + "networkGroupAddressSpaceAggregationOption": "[parameters('networkGroupAddressSpaceAggregationOption')]" + } + }, + "securityAdminConfigurations_ruleCollections": { + "copy": { + "name": "securityAdminConfigurations_ruleCollections", + "count": "[length(coalesce(parameters('ruleCollections'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-SecurityAdminConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "securityAdminConfigurationName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].name]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description')]" + }, + "appliesToGroups": { + "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].appliesToGroups]" + }, + "rules": { + "value": "[coalesce(tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'rules'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "11555299168771769835" + }, + "name": "Network Manager Security Admin Configuration Rule Collections", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "access": { + "type": "string", + "allowedValues": [ + "Allow", + "AlwaysAllow", + "Deny" + ], + "metadata": { + "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destinationPortRanges": { + "$ref": "#/definitions/destinationPortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "destinations": { + "$ref": "#/definitions/destinationsType", + "nullable": true, + "metadata": { + "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." + } + }, + "priority": { + "type": "int", + "minValue": 1, + "maxValue": 4096, + "metadata": { + "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." + } + }, + "protocol": { + "type": "string", + "allowedValues": [ + "Ah", + "Any", + "Esp", + "Icmp", + "Tcp", + "Udp" + ], + "metadata": { + "description": "Required. Network protocol this rule applies to." + } + }, + "sourcePortRanges": { + "$ref": "#/definitions/sourcePortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "sources": { + "$ref": "#/definitions/sourcesType", + "nullable": true, + "metadata": { + "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "securityAdminConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the admin rule collection." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the admin rule collection." + } + }, + "appliesToGroups": { + "$ref": "#/definitions/appliesToGroupsType", + "metadata": { + "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "metadata": { + "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." + } + } + }, + "resources": { + "networkManager::securityAdminConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "ruleCollection": { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]" + } + }, + "ruleCollection_rules": { + "copy": { + "name": "ruleCollection_rules", + "count": "[length(coalesce(parameters('rules'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "securityAdminConfigurationName": { + "value": "[parameters('securityAdminConfigurationName')]" + }, + "ruleCollectionName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].name]" + }, + "access": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].access]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" + }, + "destinationPortRanges": { + "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinationPortRanges'), createArray())]" + }, + "destinations": { + "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinations'), createArray())]" + }, + "direction": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].direction]" + }, + "priority": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].priority]" + }, + "protocol": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].protocol]" + }, + "sourcePortRanges": { + "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'sourcePortRanges'), createArray())]" + }, + "sources": { + "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'sources'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "11831246248888143865" + }, + "name": "Network Manager Security Admin Configuration Rule Collection Rules", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "securityAdminConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." + } + }, + "ruleCollectionName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "access": { + "type": "string", + "allowedValues": [ + "Allow", + "AlwaysAllow", + "Deny" + ], + "metadata": { + "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." + } + }, + "destinationPortRanges": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "destinations": { + "$ref": "#/definitions/destinationsType", + "metadata": { + "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." + } + }, + "priority": { + "type": "int", + "minValue": 1, + "maxValue": 4096, + "metadata": { + "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." + } + }, + "protocol": { + "type": "string", + "allowedValues": [ + "Ah", + "Any", + "Esp", + "Icmp", + "Tcp", + "Udp" + ], + "metadata": { + "description": "Required. Network protocol this rule applies to." + } + }, + "sourcePortRanges": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "sources": { + "$ref": "#/definitions/sourcesType", + "metadata": { + "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + } + }, + "resources": { + "networkManager::securityAdminConfiguration::ruleCollection": { + "existing": true, + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'))]" + }, + "networkManager::securityAdminConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "rule": { + "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", + "kind": "Custom", + "properties": { + "access": "[parameters('access')]", + "description": "[parameters('description')]", + "destinationPortRanges": "[parameters('destinationPortRanges')]", + "destinations": "[parameters('destinations')]", + "direction": "[parameters('direction')]", + "priority": "[parameters('priority')]", + "protocol": "[parameters('protocol')]", + "sourcePortRanges": "[parameters('sourcePortRanges')]", + "sources": "[parameters('sources')]" + } + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the rule was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "ruleCollection" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed admin rule collection." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed admin rule collection." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the admin rule collection was deployed into." + }, + "value": "[resourceGroup().name]" } } } }, - "nullable": true - } - }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the connectivity configuration." - } - }, - "description": { - "type": "string", - "nullable": true, - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the connectivity configuration." - } - }, - "appliesToGroups": { - "$ref": "#/definitions/appliesToGroupsType", - "metadata": { - "description": "Required. Network Groups for the configuration. A connectivity configuration must be associated to at least one network group." - } - }, - "connectivityTopology": { - "type": "string", - "allowedValues": [ - "HubAndSpoke", - "Mesh" - ], - "metadata": { - "description": "Required. Connectivity topology type." - } - }, - "hubs": { - "$ref": "#/definitions/hubsType", - "metadata": { - "description": "Conditional. List of hub items. This will create peerings between the specified hub and the virtual networks in the network group specified. Required if connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "deleteExistingPeering": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag if need to remove current existing peerings. If set to \"True\", all peerings on virtual networks in selected network groups will be removed and replaced with the peerings defined by this configuration. Optional when connectivityTopology is of type \"HubAndSpoke\"." - } - }, - "isGlobal": { - "type": "bool", - "defaultValue": false, - "metadata": { - "description": "Optional. Flag if global mesh is supported. By default, mesh connectivity is applied to virtual networks within the same region. If set to \"True\", a global mesh enables connectivity across regions." - } - } - }, - "resources": { - "networkManager": { - "existing": true, - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "name": "[parameters('networkManagerName')]" - }, - "connectivityConfiguration": { - "type": "Microsoft.Network/networkManagers/connectivityConfigurations", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('groupConnectivity', lambdaVariables('group').groupConnectivity, 'isGlobal', coalesce(string(lambdaVariables('group').isGlobal), 'false'), 'networkGroupId', lambdaVariables('group').networkGroupResourceId, 'useHubGateway', coalesce(string(lambdaVariables('group').useHubGateway), 'false'))))]", - "connectivityTopology": "[parameters('connectivityTopology')]", - "deleteExistingPeering": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), string(parameters('deleteExistingPeering')), 'false')]", - "description": "[coalesce(parameters('description'), '')]", - "hubs": "[if(equals(parameters('connectivityTopology'), 'HubAndSpoke'), parameters('hubs'), createArray())]", - "isGlobal": "[string(parameters('isGlobal'))]" - } + "dependsOn": [ + "securityAdminConfigurations" + ] } }, "outputs": { "name": { "type": "string", "metadata": { - "description": "The name of the deployed connectivity configuration." + "description": "The name of the deployed security admin configuration." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed connectivity configuration." + "description": "The resource ID of the deployed security admin configuration." }, - "value": "[resourceId('Microsoft.Network/networkManagers/connectivityConfigurations', parameters('networkManagerName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the connectivity configuration was deployed into." + "description": "The resource group the security admin configuration was deployed into." }, "value": "[resourceGroup().name]" } @@ -1203,14 +2714,14 @@ "networkManager_networkGroups" ] }, - "networkManager_scopeConnections": { + "networkManager_routingConfigurations": { "copy": { - "name": "networkManager_scopeConnections", - "count": "[length(coalesce(parameters('scopeConnections'), createArray()))]" + "name": "networkManager_routingConfigurations", + "count": "[length(coalesce(parameters('routingConfigurations'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-ScopeConnections-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-NetworkManager-RoutingConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1218,19 +2729,16 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].name]" + "value": "[coalesce(parameters('routingConfigurations'), createArray())[copyIndex()].name]" }, "networkManagerName": { "value": "[parameters('name')]" }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('scopeConnections'), createArray())[copyIndex()], 'description'), '')]" - }, - "resourceId": { - "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].resourceId]" + "value": "[tryGet(coalesce(parameters('routingConfigurations'), createArray())[copyIndex()], 'description')]" }, - "tenantId": { - "value": "[coalesce(parameters('scopeConnections'), createArray())[copyIndex()].tenantId]" + "ruleCollections": { + "value": "[coalesce(tryGet(coalesce(parameters('routingConfigurations'), createArray())[copyIndex()], 'ruleCollections'), createArray())]" } }, "template": { @@ -1241,148 +2749,134 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15079843378119506037" + "templateHash": "11438426137887406030" }, - "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\nCreate a cross-tenant connection to manage a resource from another tenant.", + "name": "Network Manager Routing Configurations", + "description": "This module deploys an Network Manager Routing Configuration.\r\nRouting configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group.", "owner": "Azure/module-maintainers" }, - "parameters": { - "networkManagerName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." - } - }, - "name": { - "type": "string", - "maxLength": 64, - "metadata": { - "description": "Required. The name of the scope connection." - } - }, - "description": { - "type": "string", + "definitions": { + "routingConfigurationRuleCollectionType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule collection." + } + }, + "appliesTo": { + "$ref": "#/definitions/appliesToType", + "metadata": { + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Disables BGP route propagation for the rule collection. Defaults to true." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "nullable": true, + "metadata": { + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." + } + } + } + }, "nullable": true, - "maxLength": 500, - "metadata": { - "description": "Optional. A description of the scope connection." - } - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "Required. Enter the subscription or management group resource ID that you want to add to this network manager's scope." - } - }, - "tenantId": { - "type": "string", "metadata": { - "description": "Required. Tenant ID of the subscription or management group that you want to manage." - } - } - }, - "resources": { - "networkManager": { - "existing": true, - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "name": "[parameters('networkManagerName')]" - }, - "scopeConnection": { - "type": "Microsoft.Network/networkManagers/scopeConnections", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", - "properties": { - "description": "[coalesce(parameters('description'), '')]", - "resourceId": "[parameters('resourceId')]", - "tenantId": "[parameters('tenantId')]" + "__bicep_export!": true } - } - }, - "outputs": { - "name": { - "type": "string", - "metadata": { - "description": "The name of the deployed scope connection." - }, - "value": "[parameters('name')]" - }, - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the deployed scope connection." - }, - "value": "[resourceId('Microsoft.Network/networkManagers/scopeConnections', parameters('networkManagerName'), parameters('name'))]" }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The resource group the scope connection was deployed into." - }, - "value": "[resourceGroup().name]" - } - } - } - }, - "dependsOn": [ - "networkManager" - ] - }, - "networkManager_securityAdminConfigurations": { - "copy": { - "name": "networkManager_securityAdminConfigurations", - "count": "[length(coalesce(parameters('securityAdminConfigurations'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-NetworkManager-SecurityAdminConfigurations-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "name": { - "value": "[coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()].name]" - }, - "networkManagerName": { - "value": "[parameters('name')]" - }, - "description": { - "value": "[coalesce(tryGet(coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()], 'description'), '')]" - }, - "applyOnNetworkIntentPolicyBasedServices": { - "value": "[coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()].applyOnNetworkIntentPolicyBasedServices]" - }, - "ruleCollections": { - "value": "[coalesce(tryGet(coalesce(parameters('securityAdminConfigurations'), createArray())[copyIndex()], 'ruleCollections'), createArray())]" - } - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "1513499222839675769" + "_1.destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } }, - "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "applyOnNetworkIntentPolicyBasedServicesType": { + "_1.nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "appliesToType": { "type": "array", - "allowedValues": [ - "All", - "AllowRulesOnly", - "None" - ] + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } }, - "ruleCollectionType": { + "rulesType": { "type": "array", "items": { "type": "object", @@ -1390,180 +2884,36 @@ "name": { "type": "string", "metadata": { - "description": "Required. The name of the admin rule collection." + "description": "Required. The name of the rule." } }, "description": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. A description of the admin rule collection." + "description": "Optional. A description of the rule." } }, - "appliesToGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "networkGroupResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the network group." - } - } - } - }, + "destination": { + "$ref": "#/definitions/_1.destinationType", "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." } }, - "rules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - } - } - }, - "nullable": true, + "nextHop": { + "$ref": "#/definitions/_1.nextHopType", "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." } } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } } }, "parameters": { @@ -1577,27 +2927,21 @@ "type": "string", "maxLength": 64, "metadata": { - "description": "Required. The name of the security admin configuration." + "description": "Required. The name of the routing configuration." } }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { - "description": "Optional. A description of the security admin configuration." - } - }, - "applyOnNetworkIntentPolicyBasedServices": { - "$ref": "#/definitions/applyOnNetworkIntentPolicyBasedServicesType", - "metadata": { - "description": "Required. Enum list of network intent policy based services." + "description": "Optional. A description of the routing configuration." } }, "ruleCollections": { - "$ref": "#/definitions/ruleCollectionType", + "$ref": "#/definitions/routingConfigurationRuleCollectionType", "metadata": { - "description": "Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules." + "description": "Optional. A routing configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more routing rules." } } }, @@ -1605,26 +2949,25 @@ "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, - "securityAdminConfigurations": { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "routingConfigurations": { + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", - "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]" + "description": "[parameters('description')]" } }, - "securityAdminConfigurations_ruleCollections": { + "routingConfigurations_ruleCollections": { "copy": { - "name": "securityAdminConfigurations_ruleCollections", + "name": "routingConfigurations_ruleCollections", "count": "[length(coalesce(parameters('ruleCollections'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-SecurityAdminConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", + "name": "[format('{0}-RoutingConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -1634,17 +2977,20 @@ "networkManagerName": { "value": "[parameters('networkManagerName')]" }, - "securityAdminConfigurationName": { + "routingConfigurationName": { "value": "[parameters('name')]" }, "name": { "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].name]" }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description'), '')]" + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description')]" }, - "appliesToGroups": { - "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].appliesToGroups]" + "appliesTo": { + "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].appliesTo]" + }, + "disableBgpRoutePropagation": { + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'disableBgpRoutePropagation')]" }, "rules": { "value": "[coalesce(tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'rules'), createArray())]" @@ -1658,14 +3004,14 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "2660798758480993366" + "templateHash": "12392053229903210262" }, - "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "name": "Network Manager Routing Configuration Rule Collections", + "description": "This module deploys an Network Manager Routing Configuration Rule Collection.\r\nRouting configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. Each routing configuration contains one ore more rule collections. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.", "owner": "Azure/module-maintainers" }, "definitions": { - "appliesToGroupsType": { + "appliesToType": { "type": "array", "items": { "type": "object", @@ -1677,6 +3023,9 @@ } } } + }, + "metadata": { + "__bicep_export!": true } }, "rulesType": { @@ -1690,17 +3039,6 @@ "description": "Required. The name of the rule." } }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, "description": { "type": "string", "nullable": true, @@ -1708,117 +3046,80 @@ "description": "Optional. A description of the rule." } }, - "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, + "destination": { + "$ref": "#/definitions/destinationType", "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." } }, - "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, + "nextHop": { + "$ref": "#/definitions/nextHopType", "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." } } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } } }, "parameters": { @@ -1828,65 +3129,73 @@ "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." } }, - "securityAdminConfigurationName": { + "routingConfigurationName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent Routing Configuration. Required if the template is used in a standalone deployment." } }, "name": { "type": "string", "maxLength": 64, "metadata": { - "description": "Required. The name of the admin rule collection." + "description": "Required. The name of the routing rule collection." } }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { - "description": "Optional. A description of the admin rule collection." + "description": "Optional. A description of the routing rule collection." } }, - "appliesToGroups": { - "$ref": "#/definitions/appliesToGroupsType", + "appliesTo": { + "$ref": "#/definitions/appliesToType", "metadata": { - "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true." } }, "rules": { "$ref": "#/definitions/rulesType", "metadata": { - "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." } } }, "resources": { - "networkManager::securityAdminConfiguration": { + "networkManager::routingConfiguration": { "existing": true, - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "ruleCollection": { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", - "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]" + "description": "[parameters('description')]", + "appliesTo": "[map(parameters('appliesTo'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]", + "disableBgpRoutePropagation": "[string(parameters('disableBgpRoutePropagation'))]" } }, - "securityAdminConfigurations_rules": { + "ruleCollection_rules": { "copy": { - "name": "securityAdminConfigurations_rules", + "name": "ruleCollection_rules", "count": "[length(coalesce(parameters('rules'), createArray()))]" }, "type": "Microsoft.Resources/deployments", @@ -1901,8 +3210,8 @@ "networkManagerName": { "value": "[parameters('networkManagerName')]" }, - "securityAdminConfigurationName": { - "value": "[parameters('securityAdminConfigurationName')]" + "routingConfigurationName": { + "value": "[parameters('routingConfigurationName')]" }, "ruleCollectionName": { "value": "[parameters('name')]" @@ -1910,32 +3219,14 @@ "name": { "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].name]" }, - "access": { - "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].access]" - }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description'), '')]" - }, - "destinationPortRanges": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinationPortRanges'), createArray())]" - }, - "destinations": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinations'), createArray())]" - }, - "direction": { - "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].direction]" - }, - "priority": { - "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].priority]" + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" }, - "protocol": { - "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].protocol]" - }, - "sourcePortRanges": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'sourcePortRanges'), createArray())]" + "destination": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].destination]" }, - "sources": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'sources'), createArray())]" + "nextHop": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].nextHop]" } }, "template": { @@ -1946,76 +3237,64 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17715910169740786334" + "templateHash": "16150172197183244404" }, - "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "name": "Network Manager Routing configuration Rule Collection Rules", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule.\r\nA Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.", "owner": "Azure/module-maintainers" }, "definitions": { - "destinationPortRangesType": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true - }, - "destinationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." } } }, - "nullable": true - }, - "sourcePortRangesType": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, - "sourcesType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -2025,10 +3304,10 @@ "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." } }, - "securityAdminConfigurationName": { + "routingConfigurationName": { "type": "string", "metadata": { - "description": "Conditional. The name of the parent security admin configuration. Required if the template is used in a standalone deployment." + "description": "Conditional. The name of the parent Routing configuration. Required if the template is used in a standalone deployment." } }, "ruleCollectionName": { @@ -2046,122 +3325,52 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the rule." } }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "$ref": "#/definitions/destinationsType", - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, + "destination": { + "$ref": "#/definitions/destinationType", "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." } }, - "sources": { - "$ref": "#/definitions/sourcesType", + "nextHop": { + "$ref": "#/definitions/nextHopType", "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." } } }, "resources": { - "networkManager::securityAdminConfiguration::ruleCollection": { + "networkManager::routingConfiguration::ruleCollection": { "existing": true, - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'))]" + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'))]" }, - "networkManager::securityAdminConfiguration": { + "networkManager::routingConfiguration": { "existing": true, - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "rule": { - "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", - "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", - "kind": "Custom", + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", "properties": { - "access": "[parameters('access')]", - "description": "[coalesce(parameters('description'), '')]", - "destinationPortRanges": "[parameters('destinationPortRanges')]", - "destinations": "[parameters('destinations')]", - "direction": "[parameters('direction')]", - "priority": "[parameters('priority')]", - "protocol": "[parameters('protocol')]", - "sourcePortRanges": "[parameters('sourcePortRanges')]", - "sources": "[parameters('sources')]" + "description": "[parameters('description')]", + "destination": "[parameters('destination')]", + "nextHop": "[parameters('nextHop')]" } } }, @@ -2178,7 +3387,7 @@ "metadata": { "description": "The resource ID of the deployed rule." }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", @@ -2199,21 +3408,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the deployed admin rule collection." + "description": "The name of the deployed routing rule collection." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed admin rule collection." + "description": "The resource ID of the deployed routing rule collection." }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the admin rule collection was deployed into." + "description": "The resource group the routing rule collection was deployed into." }, "value": "[resourceGroup().name]" } @@ -2221,7 +3430,7 @@ } }, "dependsOn": [ - "securityAdminConfigurations" + "routingConfigurations" ] } }, @@ -2229,21 +3438,21 @@ "name": { "type": "string", "metadata": { - "description": "The name of the deployed security admin configuration." + "description": "The name of the deployed routing configuration." }, "value": "[parameters('name')]" }, "resourceId": { "type": "string", "metadata": { - "description": "The resource ID of the deployed security admin configuration." + "description": "The resource ID of the deployed routing configuration." }, - "value": "[resourceId('Microsoft.Network/networkManagers/securityAdminConfigurations', parameters('networkManagerName'), parameters('name'))]" + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations', parameters('networkManagerName'), parameters('name'))]" }, "resourceGroupName": { "type": "string", "metadata": { - "description": "The resource group the security admin configuration was deployed into." + "description": "The resource group the routing configuration was deployed into." }, "value": "[resourceGroup().name]" } @@ -2283,7 +3492,7 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('networkManager', '2023-11-01', 'full').location]" + "value": "[reference('networkManager', '2024-05-01', 'full').location]" } } } \ No newline at end of file diff --git a/avm/res/network/network-manager/network-group/README.md b/avm/res/network/network-manager/network-group/README.md index d86241d4d4..cd306ce497 100644 --- a/avm/res/network/network-manager/network-group/README.md +++ b/avm/res/network/network-manager/network-group/README.md @@ -13,8 +13,8 @@ A network group is a collection of same-type network resources that you can asso | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/networkGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/networkGroups) | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/networkGroups/staticMembers) | +| `Microsoft.Network/networkManagers/networkGroups` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/networkGroups) | +| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/networkGroups/staticMembers) | ## Parameters @@ -35,6 +35,7 @@ A network group is a collection of same-type network resources that you can asso | Parameter | Type | Description | | :-- | :-- | :-- | | [`description`](#parameter-description) | string | A description of the network group. | +| [`memberType`](#parameter-membertype) | string | The type of the group member. Subnet member type is used for routing configurations. | | [`staticMembers`](#parameter-staticmembers) | array | Static Members to create for the network group. Contains virtual networks to add to the network group. | ### Parameter: `name` @@ -57,6 +58,22 @@ A description of the network group. - Required: No - Type: string +- Default: `''` + +### Parameter: `memberType` + +The type of the group member. Subnet member type is used for routing configurations. + +- Required: No +- Type: string +- Default: `'VirtualNetwork'` +- Allowed: + ```Bicep + [ + 'Subnet' + 'VirtualNetwork' + ] + ``` ### Parameter: `staticMembers` diff --git a/avm/res/network/network-manager/network-group/main.bicep b/avm/res/network/network-manager/network-group/main.bicep index 31f872a756..ef729e612d 100644 --- a/avm/res/network/network-manager/network-group/main.bicep +++ b/avm/res/network/network-manager/network-group/main.bicep @@ -12,20 +12,28 @@ param name string @maxLength(500) @sys.description('Optional. A description of the network group.') -param description string? +param description string = '' + +@allowed([ + 'Subnet' + 'VirtualNetwork' +]) +@sys.description('Optional. The type of the group member. Subnet member type is used for routing configurations.') +param memberType string = 'VirtualNetwork' @sys.description('Optional. Static Members to create for the network group. Contains virtual networks to add to the network group.') param staticMembers staticMembersType -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName } -resource networkGroup 'Microsoft.Network/networkManagers/networkGroups@2023-11-01' = { +resource networkGroup 'Microsoft.Network/networkManagers/networkGroups@2024-05-01' = { name: name parent: networkManager properties: { - description: description ?? '' + description: description + memberType: memberType } } @@ -54,6 +62,7 @@ output resourceGroupName string = resourceGroup().name // Definitions // // =============== // +@export() type staticMembersType = { @sys.description('Required. The name of the static member.') name: string diff --git a/avm/res/network/network-manager/network-group/main.json b/avm/res/network/network-manager/network-group/main.json index 67733f979a..433f5ca166 100644 --- a/avm/res/network/network-manager/network-group/main.json +++ b/avm/res/network/network-manager/network-group/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "8871976301945912789" + "templateHash": "12405776367730933548" }, "name": "Network Manager Network Groups", - "description": "This module deploys a Network Manager Network Group.\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", + "description": "This module deploys a Network Manager Network Group.\r\nA network group is a collection of same-type network resources that you can associate with network manager configurations. You can add same-type network resources after you create the network group.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -32,7 +32,10 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -51,12 +54,23 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the network group." } }, + "memberType": { + "type": "string", + "defaultValue": "VirtualNetwork", + "allowedValues": [ + "Subnet", + "VirtualNetwork" + ], + "metadata": { + "description": "Optional. The type of the group member. Subnet member type is used for routing configurations." + } + }, "staticMembers": { "$ref": "#/definitions/staticMembersType", "metadata": { @@ -68,15 +82,16 @@ "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "networkGroup": { "type": "Microsoft.Network/networkManagers/networkGroups", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]" + "description": "[parameters('description')]", + "memberType": "[parameters('memberType')]" } }, "networkGroup_staticMembers": { @@ -113,10 +128,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17179520824104313247" + "templateHash": "10207263536223853430" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -148,7 +163,7 @@ "resources": [ { "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", "properties": { "resourceId": "[parameters('resourceId')]" diff --git a/avm/res/network/network-manager/network-group/static-member/README.md b/avm/res/network/network-manager/network-group/static-member/README.md index 1c7fed096a..7cb930fac4 100644 --- a/avm/res/network/network-manager/network-group/static-member/README.md +++ b/avm/res/network/network-manager/network-group/static-member/README.md @@ -13,7 +13,7 @@ Static membership allows you to explicitly add virtual networks to a group by ma | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/networkGroups/staticMembers) | +| `Microsoft.Network/networkManagers/networkGroups/staticMembers` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/networkGroups/staticMembers) | ## Parameters diff --git a/avm/res/network/network-manager/network-group/static-member/main.bicep b/avm/res/network/network-manager/network-group/static-member/main.bicep index 2394d101c9..980977249b 100644 --- a/avm/res/network/network-manager/network-group/static-member/main.bicep +++ b/avm/res/network/network-manager/network-group/static-member/main.bicep @@ -15,15 +15,15 @@ param name string @description('Required. Resource ID of the virtual network.') param resourceId string -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName - resource networkGroup 'networkGroups@2023-11-01' existing = { + resource networkGroup 'networkGroups' existing = { name: networkGroupName } } -resource staticMember 'Microsoft.Network/networkManagers/networkGroups/staticMembers@2023-11-01' = { +resource staticMember 'Microsoft.Network/networkManagers/networkGroups/staticMembers@2024-05-01' = { name: name parent: networkManager::networkGroup properties: { diff --git a/avm/res/network/network-manager/network-group/static-member/main.json b/avm/res/network/network-manager/network-group/static-member/main.json index 001b6db29c..d62dd49b66 100644 --- a/avm/res/network/network-manager/network-group/static-member/main.json +++ b/avm/res/network/network-manager/network-group/static-member/main.json @@ -5,10 +5,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17179520824104313247" + "templateHash": "10207263536223853430" }, "name": "Network Manager Network Group Static Members", - "description": "This module deploys a Network Manager Network Group Static Member.\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", + "description": "This module deploys a Network Manager Network Group Static Member.\r\nStatic membership allows you to explicitly add virtual networks to a group by manually selecting individual virtual networks.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -40,7 +40,7 @@ "resources": [ { "type": "Microsoft.Network/networkManagers/networkGroups/staticMembers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('networkGroupName'), parameters('name'))]", "properties": { "resourceId": "[parameters('resourceId')]" diff --git a/avm/res/network/network-manager/routing-configuration/README.md b/avm/res/network/network-manager/routing-configuration/README.md new file mode 100644 index 0000000000..e35018573f --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/README.md @@ -0,0 +1,245 @@ +# Network Manager Routing Configurations `[Microsoft.Network/networkManagers/routingConfigurations]` + +This module deploys an Network Manager Routing Configuration. +Routing configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/networkManagers/routingConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations) | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections/rules) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-name) | string | The name of the routing configuration. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the routing configuration. | +| [`ruleCollections`](#parameter-rulecollections) | array | A routing configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more routing rules. | + +### Parameter: `name` + +The name of the routing configuration. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `description` + +A description of the routing configuration. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `ruleCollections` + +A routing configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more routing rules. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appliesTo`](#parameter-rulecollectionsappliesto) | array | List of network groups for configuration. A routing rule collection must be associated to at least one network group. | +| [`name`](#parameter-rulecollectionsname) | string | The name of the rule collection. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-rulecollectionsdescription) | string | A description of the rule collection. | +| [`disableBgpRoutePropagation`](#parameter-rulecollectionsdisablebgproutepropagation) | bool | Disables BGP route propagation for the rule collection. Defaults to true. | +| [`rules`](#parameter-rulecollectionsrules) | array | List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. | + +### Parameter: `ruleCollections.appliesTo` + +List of network groups for configuration. A routing rule collection must be associated to at least one network group. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkGroupResourceId`](#parameter-rulecollectionsappliestonetworkgroupresourceid) | string | The resource ID of the network group. | + +### Parameter: `ruleCollections.appliesTo.networkGroupResourceId` + +The resource ID of the network group. + +- Required: Yes +- Type: string + +### Parameter: `ruleCollections.name` + +The name of the rule collection. + +- Required: Yes +- Type: string + +### Parameter: `ruleCollections.description` + +A description of the rule collection. + +- Required: No +- Type: string + +### Parameter: `ruleCollections.disableBgpRoutePropagation` + +Disables BGP route propagation for the rule collection. Defaults to true. + +- Required: No +- Type: bool + +### Parameter: `ruleCollections.rules` + +List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destination`](#parameter-rulecollectionsrulesdestination) | object | The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | +| [`name`](#parameter-rulecollectionsrulesname) | string | The name of the rule. | +| [`nextHop`](#parameter-rulecollectionsrulesnexthop) | object | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-rulecollectionsrulesdescription) | string | A description of the rule. | + +### Parameter: `ruleCollections.rules.destination` + +The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destinationAddress`](#parameter-rulecollectionsrulesdestinationdestinationaddress) | string | The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. | +| [`type`](#parameter-rulecollectionsrulesdestinationtype) | string | The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | + +### Parameter: `ruleCollections.rules.destination.destinationAddress` + +The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. + +- Required: Yes +- Type: string + +### Parameter: `ruleCollections.rules.destination.type` + +The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'AddressPrefix' + 'ServiceTag' + ] + ``` + +### Parameter: `ruleCollections.rules.name` + +The name of the rule. + +- Required: Yes +- Type: string + +### Parameter: `ruleCollections.rules.nextHop` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopType`](#parameter-rulecollectionsrulesnexthopnexthoptype) | string | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopAddress`](#parameter-rulecollectionsrulesnexthopnexthopaddress) | string | The IP address of the next hop. Required if the next hop type is VirtualAppliance. | + +### Parameter: `ruleCollections.rules.nextHop.nextHopType` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Internet' + 'NoNextHop' + 'VirtualAppliance' + 'VirtualNetworkGateway' + 'VnetLocal' + ] + ``` + +### Parameter: `ruleCollections.rules.nextHop.nextHopAddress` + +The IP address of the next hop. Required if the next hop type is VirtualAppliance. + +- Required: No +- Type: string + +### Parameter: `ruleCollections.rules.description` + +A description of the rule. + +- Required: No +- Type: string + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed routing configuration. | +| `resourceGroupName` | string | The resource group the routing configuration was deployed into. | +| `resourceId` | string | The resource ID of the deployed routing configuration. | diff --git a/avm/res/network/network-manager/routing-configuration/main.bicep b/avm/res/network/network-manager/routing-configuration/main.bicep new file mode 100644 index 0000000000..3ce778a0e4 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/main.bicep @@ -0,0 +1,77 @@ +metadata name = 'Network Manager Routing Configurations' +metadata description = '''This module deploys an Network Manager Routing Configuration. +Routing configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group.''' +metadata owner = 'Azure/module-maintainers' + +@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') +param networkManagerName string + +@maxLength(64) +@sys.description('Required. The name of the routing configuration.') +param name string + +@maxLength(500) +@sys.description('Optional. A description of the routing configuration.') +param description string = '' + +@sys.description('Optional. A routing configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more routing rules.') +param ruleCollections routingConfigurationRuleCollectionType + +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { + name: networkManagerName +} + +resource routingConfigurations 'Microsoft.Network/networkManagers/routingConfigurations@2024-05-01' = { + name: name + parent: networkManager + properties: { + description: description + } +} + +module routingConfigurations_ruleCollections 'rule-collection/main.bicep' = [ + for (ruleCollection, index) in ruleCollections ?? []: { + name: '${uniqueString(deployment().name)}-RoutingConfigurations-RuleCollections-${index}' + params: { + networkManagerName: networkManager.name + routingConfigurationName: routingConfigurations.name + name: ruleCollection.name + description: ruleCollection.?description + appliesTo: ruleCollection.appliesTo + disableBgpRoutePropagation: ruleCollection.?disableBgpRoutePropagation + rules: ruleCollection.?rules ?? [] + } + } +] + +@sys.description('The name of the deployed routing configuration.') +output name string = routingConfigurations.name + +@sys.description('The resource ID of the deployed routing configuration.') +output resourceId string = routingConfigurations.id + +@sys.description('The resource group the routing configuration was deployed into.') +output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +import { appliesToType, rulesType } from 'rule-collection/main.bicep' +@export() +type routingConfigurationRuleCollectionType = { + @sys.description('Required. The name of the rule collection.') + name: string + + @sys.description('Optional. A description of the rule collection.') + description: string? + + @sys.description('Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group.') + appliesTo: appliesToType + + @sys.description('Optional. Disables BGP route propagation for the rule collection. Defaults to true.') + disableBgpRoutePropagation: bool? + + @sys.description('Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.') + rules: rulesType? +}[]? diff --git a/avm/res/network/network-manager/routing-configuration/main.json b/avm/res/network/network-manager/routing-configuration/main.json new file mode 100644 index 0000000000..f89de9e7d6 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/main.json @@ -0,0 +1,717 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "11438426137887406030" + }, + "name": "Network Manager Routing Configurations", + "description": "This module deploys an Network Manager Routing Configuration.\r\nRouting configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "routingConfigurationRuleCollectionType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule collection." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule collection." + } + }, + "appliesTo": { + "$ref": "#/definitions/appliesToType", + "metadata": { + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Disables BGP route propagation for the rule collection. Defaults to true." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "nullable": true, + "metadata": { + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "_1.destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "appliesToType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/_1.destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/_1.nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the routing configuration." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the routing configuration." + } + }, + "ruleCollections": { + "$ref": "#/definitions/routingConfigurationRuleCollectionType", + "metadata": { + "description": "Optional. A routing configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more routing rules." + } + } + }, + "resources": { + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "routingConfigurations": { + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]" + } + }, + "routingConfigurations_ruleCollections": { + "copy": { + "name": "routingConfigurations_ruleCollections", + "count": "[length(coalesce(parameters('ruleCollections'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RoutingConfigurations-RuleCollections-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "routingConfigurationName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].name]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description')]" + }, + "appliesTo": { + "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].appliesTo]" + }, + "disableBgpRoutePropagation": { + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'disableBgpRoutePropagation')]" + }, + "rules": { + "value": "[coalesce(tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'rules'), createArray())]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "12392053229903210262" + }, + "name": "Network Manager Routing Configuration Rule Collections", + "description": "This module deploys an Network Manager Routing Configuration Rule Collection.\r\nRouting configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. Each routing configuration contains one ore more rule collections. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "appliesToType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "routingConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Routing Configuration. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the routing rule collection." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the routing rule collection." + } + }, + "appliesTo": { + "$ref": "#/definitions/appliesToType", + "metadata": { + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "metadata": { + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." + } + } + }, + "resources": { + "networkManager::routingConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "ruleCollection": { + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "appliesTo": "[map(parameters('appliesTo'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]", + "disableBgpRoutePropagation": "[string(parameters('disableBgpRoutePropagation'))]" + } + }, + "ruleCollection_rules": { + "copy": { + "name": "ruleCollection_rules", + "count": "[length(coalesce(parameters('rules'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "routingConfigurationName": { + "value": "[parameters('routingConfigurationName')]" + }, + "ruleCollectionName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].name]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" + }, + "destination": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].destination]" + }, + "nextHop": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].nextHop]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "16150172197183244404" + }, + "name": "Network Manager Routing configuration Rule Collection Rules", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule.\r\nA Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "routingConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Routing configuration. Required if the template is used in a standalone deployment." + } + }, + "ruleCollectionName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + }, + "resources": { + "networkManager::routingConfiguration::ruleCollection": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'))]" + }, + "networkManager::routingConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "rule": { + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "destination": "[parameters('destination')]", + "nextHop": "[parameters('nextHop')]" + } + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the rule was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "ruleCollection" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed routing rule collection." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed routing rule collection." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the routing rule collection was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "routingConfigurations" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed routing configuration." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed routing configuration." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations', parameters('networkManagerName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the routing configuration was deployed into." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/README.md b/avm/res/network/network-manager/routing-configuration/rule-collection/README.md new file mode 100644 index 0000000000..5b9db17049 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/README.md @@ -0,0 +1,219 @@ +# Network Manager Routing Configuration Rule Collections `[Microsoft.Network/networkManagers/routingConfigurations/ruleCollections]` + +This module deploys an Network Manager Routing Configuration Rule Collection. +Routing configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. Each routing configuration contains one ore more rule collections. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections/rules) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`appliesTo`](#parameter-appliesto) | array | List of network groups for configuration. A routing rule collection must be associated to at least one network group. | +| [`name`](#parameter-name) | string | The name of the routing rule collection. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`routingConfigurationName`](#parameter-routingconfigurationname) | string | The name of the parent Routing Configuration. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the routing rule collection. | +| [`disableBgpRoutePropagation`](#parameter-disablebgproutepropagation) | bool | Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true. | +| [`rules`](#parameter-rules) | array | List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. | + +### Parameter: `appliesTo` + +List of network groups for configuration. A routing rule collection must be associated to at least one network group. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkGroupResourceId`](#parameter-appliestonetworkgroupresourceid) | string | The resource ID of the network group. | + +### Parameter: `appliesTo.networkGroupResourceId` + +The resource ID of the network group. + +- Required: Yes +- Type: string + +### Parameter: `name` + +The name of the routing rule collection. + +- Required: Yes +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurationName` + +The name of the parent Routing Configuration. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `description` + +A description of the routing rule collection. + +- Required: No +- Type: string +- Default: `''` + +### Parameter: `disableBgpRoutePropagation` + +Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true. + +- Required: No +- Type: bool +- Default: `True` + +### Parameter: `rules` + +List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager. + +- Required: No +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destination`](#parameter-rulesdestination) | object | The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | +| [`name`](#parameter-rulesname) | string | The name of the rule. | +| [`nextHop`](#parameter-rulesnexthop) | object | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-rulesdescription) | string | A description of the rule. | + +### Parameter: `rules.destination` + +The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destinationAddress`](#parameter-rulesdestinationdestinationaddress) | string | The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. | +| [`type`](#parameter-rulesdestinationtype) | string | The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | + +### Parameter: `rules.destination.destinationAddress` + +The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. + +- Required: Yes +- Type: string + +### Parameter: `rules.destination.type` + +The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'AddressPrefix' + 'ServiceTag' + ] + ``` + +### Parameter: `rules.name` + +The name of the rule. + +- Required: Yes +- Type: string + +### Parameter: `rules.nextHop` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopType`](#parameter-rulesnexthopnexthoptype) | string | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopAddress`](#parameter-rulesnexthopnexthopaddress) | string | The IP address of the next hop. Required if the next hop type is VirtualAppliance. | + +### Parameter: `rules.nextHop.nextHopType` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Internet' + 'NoNextHop' + 'VirtualAppliance' + 'VirtualNetworkGateway' + 'VnetLocal' + ] + ``` + +### Parameter: `rules.nextHop.nextHopAddress` + +The IP address of the next hop. Required if the next hop type is VirtualAppliance. + +- Required: No +- Type: string + +### Parameter: `rules.description` + +A description of the rule. + +- Required: No +- Type: string + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed routing rule collection. | +| `resourceGroupName` | string | The resource group the routing rule collection was deployed into. | +| `resourceId` | string | The resource ID of the deployed routing rule collection. | diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/main.bicep b/avm/res/network/network-manager/routing-configuration/rule-collection/main.bicep new file mode 100644 index 0000000000..f6080c1a7f --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/main.bicep @@ -0,0 +1,97 @@ +metadata name = 'Network Manager Routing Configuration Rule Collections' +metadata description = '''This module deploys an Network Manager Routing Configuration Rule Collection. +Routing configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. Each routing configuration contains one ore more rule collections. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.''' +metadata owner = 'Azure/module-maintainers' + +@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') +param networkManagerName string + +@sys.description('Conditional. The name of the parent Routing Configuration. Required if the template is used in a standalone deployment.') +param routingConfigurationName string + +@maxLength(64) +@sys.description('Required. The name of the routing rule collection.') +param name string + +@maxLength(500) +@sys.description('Optional. A description of the routing rule collection.') +param description string = '' + +@sys.description('Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group.') +param appliesTo appliesToType + +@sys.description('Optional. Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true.') +param disableBgpRoutePropagation bool = true + +@sys.description('Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.') +param rules rulesType + +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { + name: networkManagerName + + resource routingConfiguration 'routingConfigurations' existing = { + name: routingConfigurationName + } +} + +resource ruleCollection 'Microsoft.Network/networkManagers/routingConfigurations/ruleCollections@2024-05-01' = { + name: name + parent: networkManager::routingConfiguration + properties: { + description: description + appliesTo: map(appliesTo, (group) => { + networkGroupId: any(group.networkGroupResourceId) + }) + disableBgpRoutePropagation: string(disableBgpRoutePropagation) + } +} + +module ruleCollection_rules 'rule/main.bicep' = [ + for (rule, index) in rules ?? []: { + name: '${uniqueString(deployment().name)}-RuleCollections-Rules-${index}' + params: { + networkManagerName: networkManager.name + routingConfigurationName: routingConfigurationName + ruleCollectionName: ruleCollection.name + name: rule.name + description: rule.?description + destination: rule.destination + nextHop: rule.nextHop + } + } +] + +@sys.description('The name of the deployed routing rule collection.') +output name string = ruleCollection.name + +@sys.description('The resource ID of the deployed routing rule collection.') +output resourceId string = ruleCollection.id + +@sys.description('The resource group the routing rule collection was deployed into.') +output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +@export() +type appliesToType = { + @sys.description('Required. The resource ID of the network group.') + networkGroupResourceId: string +}[] + +import { destinationType, nextHopType } from 'rule/main.bicep' +@export() +type rulesType = { + @sys.description('Required. The name of the rule.') + name: string + + @sys.description('Optional. A description of the rule.') + description: string? + + @sys.description('Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure.') + destination: destinationType + + @sys.description('Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified.') + nextHop: nextHopType +}[]? diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/main.json b/avm/res/network/network-manager/routing-configuration/rule-collection/main.json new file mode 100644 index 0000000000..0bd47244c7 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/main.json @@ -0,0 +1,432 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "12392053229903210262" + }, + "name": "Network Manager Routing Configuration Rule Collections", + "description": "This module deploys an Network Manager Routing Configuration Rule Collection.\r\nRouting configurations are the building blocks of UDR management. They're used to describe the desired routing behavior for a network group. Each routing configuration contains one ore more rule collections. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "appliesToType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "routingConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Routing Configuration. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the routing rule collection." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the routing rule collection." + } + }, + "appliesTo": { + "$ref": "#/definitions/appliesToType", + "metadata": { + "description": "Required. List of network groups for configuration. A routing rule collection must be associated to at least one network group." + } + }, + "disableBgpRoutePropagation": { + "type": "bool", + "defaultValue": true, + "metadata": { + "description": "Optional. Determines whether BGP route propagation is enabled for the routing rule collection. Defaults to true." + } + }, + "rules": { + "$ref": "#/definitions/rulesType", + "metadata": { + "description": "Optional. List of rules for the routing rules collection. Warning: A rule collection without a rule will cause a deployment of routing configuration to fail in network manager." + } + } + }, + "resources": { + "networkManager::routingConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "ruleCollection": { + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "appliesTo": "[map(parameters('appliesTo'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]", + "disableBgpRoutePropagation": "[string(parameters('disableBgpRoutePropagation'))]" + } + }, + "ruleCollection_rules": { + "copy": { + "name": "ruleCollection_rules", + "count": "[length(coalesce(parameters('rules'), createArray()))]" + }, + "type": "Microsoft.Resources/deployments", + "apiVersion": "2022-09-01", + "name": "[format('{0}-RuleCollections-Rules-{1}', uniqueString(deployment().name), copyIndex())]", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "networkManagerName": { + "value": "[parameters('networkManagerName')]" + }, + "routingConfigurationName": { + "value": "[parameters('routingConfigurationName')]" + }, + "ruleCollectionName": { + "value": "[parameters('name')]" + }, + "name": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].name]" + }, + "description": { + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" + }, + "destination": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].destination]" + }, + "nextHop": { + "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].nextHop]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "16150172197183244404" + }, + "name": "Network Manager Routing configuration Rule Collection Rules", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule.\r\nA Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "routingConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Routing configuration. Required if the template is used in a standalone deployment." + } + }, + "ruleCollectionName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + }, + "resources": { + "networkManager::routingConfiguration::ruleCollection": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'))]" + }, + "networkManager::routingConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "rule": { + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "destination": "[parameters('destination')]", + "nextHop": "[parameters('nextHop')]" + } + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the rule was deployed into." + }, + "value": "[resourceGroup().name]" + } + } + } + }, + "dependsOn": [ + "ruleCollection" + ] + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed routing rule collection." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed routing rule collection." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the routing rule collection was deployed into." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/rule/README.md b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/README.md new file mode 100644 index 0000000000..fc357bee37 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/README.md @@ -0,0 +1,162 @@ +# Network Manager Routing configuration Rule Collection Rules `[Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules]` + +This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule. +A Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules. + +## Navigation + +- [Resource Types](#Resource-Types) +- [Parameters](#Parameters) +- [Outputs](#Outputs) + +## Resource Types + +| Resource Type | API Version | +| :-- | :-- | +| `Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/routingConfigurations/ruleCollections/rules) | + +## Parameters + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destination`](#parameter-destination) | object | The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | +| [`name`](#parameter-name) | string | The name of the rule. | +| [`nextHop`](#parameter-nexthop) | object | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`networkManagerName`](#parameter-networkmanagername) | string | The name of the parent network manager. Required if the template is used in a standalone deployment. | +| [`routingConfigurationName`](#parameter-routingconfigurationname) | string | The name of the parent Routing configuration. Required if the template is used in a standalone deployment. | +| [`ruleCollectionName`](#parameter-rulecollectionname) | string | The name of the parent rule collection. Required if the template is used in a standalone deployment. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`description`](#parameter-description) | string | A description of the rule. | + +### Parameter: `destination` + +The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`destinationAddress`](#parameter-destinationdestinationaddress) | string | The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. | +| [`type`](#parameter-destinationtype) | string | The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. | + +### Parameter: `destination.destinationAddress` + +The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags. + +- Required: Yes +- Type: string + +### Parameter: `destination.type` + +The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'AddressPrefix' + 'ServiceTag' + ] + ``` + +### Parameter: `name` + +The name of the rule. + +- Required: Yes +- Type: string + +### Parameter: `nextHop` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopType`](#parameter-nexthopnexthoptype) | string | The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. | + +**Conditional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`nextHopAddress`](#parameter-nexthopnexthopaddress) | string | The IP address of the next hop. Required if the next hop type is VirtualAppliance. | + +### Parameter: `nextHop.nextHopType` + +The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified. + +- Required: Yes +- Type: string +- Allowed: + ```Bicep + [ + 'Internet' + 'NoNextHop' + 'VirtualAppliance' + 'VirtualNetworkGateway' + 'VnetLocal' + ] + ``` + +### Parameter: `nextHop.nextHopAddress` + +The IP address of the next hop. Required if the next hop type is VirtualAppliance. + +- Required: No +- Type: string + +### Parameter: `networkManagerName` + +The name of the parent network manager. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `routingConfigurationName` + +The name of the parent Routing configuration. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `ruleCollectionName` + +The name of the parent rule collection. Required if the template is used in a standalone deployment. + +- Required: Yes +- Type: string + +### Parameter: `description` + +A description of the rule. + +- Required: No +- Type: string +- Default: `''` + +## Outputs + +| Output | Type | Description | +| :-- | :-- | :-- | +| `name` | string | The name of the deployed rule. | +| `resourceGroupName` | string | The resource group the rule was deployed into. | +| `resourceId` | string | The resource ID of the deployed rule. | diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.bicep b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.bicep new file mode 100644 index 0000000000..aa79d1b7e8 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.bicep @@ -0,0 +1,80 @@ +metadata name = 'Network Manager Routing configuration Rule Collection Rules' +metadata description = '''This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule. +A Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.''' +metadata owner = 'Azure/module-maintainers' + +@sys.description('Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment.') +param networkManagerName string + +@sys.description('Conditional. The name of the parent Routing configuration. Required if the template is used in a standalone deployment.') +param routingConfigurationName string + +@sys.description('Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment.') +param ruleCollectionName string + +@maxLength(64) +@sys.description('Required. The name of the rule.') +param name string + +@maxLength(500) +@sys.description('Optional. A description of the rule.') +param description string = '' + +@sys.description('Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure.') +param destination destinationType + +@sys.description('Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified.') +param nextHop nextHopType + +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { + name: networkManagerName + + resource routingConfiguration 'routingConfigurations' existing = { + name: routingConfigurationName + + resource ruleCollection 'ruleCollections' existing = { + name: ruleCollectionName + } + } +} + +resource rule 'Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules@2024-05-01' = { + name: name + parent: networkManager::routingConfiguration::ruleCollection + properties: { + description: description + destination: destination + nextHop: nextHop + } +} + +@sys.description('The name of the deployed rule.') +output name string = rule.name + +@sys.description('The resource ID of the deployed rule.') +output resourceId string = rule.id + +@sys.description('The resource group the rule was deployed into.') +output resourceGroupName string = resourceGroup().name + +// =============== // +// Definitions // +// =============== // + +@export() +type destinationType = { + @sys.description('Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure.') + type: 'AddressPrefix' | 'ServiceTag' + + @sys.description('Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be "AzureCloud", "Storage.AustraliaEast", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags.') + destinationAddress: string +} + +@export() +type nextHopType = { + @sys.description('Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified.') + nextHopType: 'Internet' | 'NoNextHop' | 'VirtualAppliance' | 'VirtualNetworkGateway' | 'VnetLocal' + + @sys.description('Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance.') + nextHopAddress: string? +} diff --git a/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.json b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.json new file mode 100644 index 0000000000..e1236d6b56 --- /dev/null +++ b/avm/res/network/network-manager/routing-configuration/rule-collection/rule/main.json @@ -0,0 +1,169 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "16150172197183244404" + }, + "name": "Network Manager Routing configuration Rule Collection Rules", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Routing Configuration Rule Collection Rule.\r\nA Routing configuration contains a set of rule collections. Each rule collection contains one or more routing rules.", + "owner": "Azure/module-maintainers" + }, + "definitions": { + "destinationType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "AddressPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. The destination type can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "destinationAddress": { + "type": "string", + "metadata": { + "description": "Required. The destination IP addresses or Service Tag for this route. For IP addresses, it is the IP address range in CIDR notation that this route applies to. If the destination IP address of a packet falls in this range, it matches this route. As for Service Tags, valid identifiers can be \"AzureCloud\", \"Storage.AustraliaEast\", etc. See https://docs.microsoft.com/en-us/azure/virtual-network/service-tags-overview for more information on service tags." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "nextHopType": { + "type": "object", + "properties": { + "nextHopType": { + "type": "string", + "allowedValues": [ + "Internet", + "NoNextHop", + "VirtualAppliance", + "VirtualNetworkGateway", + "VnetLocal" + ], + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + }, + "nextHopAddress": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Conditional. The IP address of the next hop. Required if the next hop type is VirtualAppliance." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, + "parameters": { + "networkManagerName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent network manager. Required if the template is used in a standalone deployment." + } + }, + "routingConfigurationName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Routing configuration. Required if the template is used in a standalone deployment." + } + }, + "ruleCollectionName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent rule collection. Required if the template is used in a standalone deployment." + } + }, + "name": { + "type": "string", + "maxLength": 64, + "metadata": { + "description": "Required. The name of the rule." + } + }, + "description": { + "type": "string", + "defaultValue": "", + "maxLength": 500, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destination": { + "$ref": "#/definitions/destinationType", + "metadata": { + "description": "Required. The destination can be IP addresses or Service Tag for this route. Address Prefixes are defined using the CIDR format, while Service tags are predefined identifiers that represent a category of IP addresses, which are managed by Azure." + } + }, + "nextHop": { + "$ref": "#/definitions/nextHopType", + "metadata": { + "description": "Required. The next hop handles the matching packets for this route. It can be the virtual network, the virtual network gateway, the internet, a virtual appliance, or none. Virtual network gateways cannot be used if the address prefix is IPv6. If the next hop type is VirtualAppliance, the next hop address must be specified." + } + } + }, + "resources": { + "networkManager::routingConfiguration::ruleCollection": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'))]" + }, + "networkManager::routingConfiguration": { + "existing": true, + "type": "Microsoft.Network/networkManagers/routingConfigurations", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('routingConfigurationName'))]" + }, + "networkManager": { + "existing": true, + "type": "Microsoft.Network/networkManagers", + "apiVersion": "2024-05-01", + "name": "[parameters('networkManagerName')]" + }, + "rule": { + "type": "Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules", + "apiVersion": "2024-05-01", + "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", + "properties": { + "description": "[parameters('description')]", + "destination": "[parameters('destination')]", + "nextHop": "[parameters('nextHop')]" + } + } + }, + "outputs": { + "name": { + "type": "string", + "metadata": { + "description": "The name of the deployed rule." + }, + "value": "[parameters('name')]" + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the deployed rule." + }, + "value": "[resourceId('Microsoft.Network/networkManagers/routingConfigurations/ruleCollections/rules', parameters('networkManagerName'), parameters('routingConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The resource group the rule was deployed into." + }, + "value": "[resourceGroup().name]" + } + } +} \ No newline at end of file diff --git a/avm/res/network/network-manager/scope-connection/README.md b/avm/res/network/network-manager/scope-connection/README.md index 3f7d4f7128..753788744e 100644 --- a/avm/res/network/network-manager/scope-connection/README.md +++ b/avm/res/network/network-manager/scope-connection/README.md @@ -13,7 +13,7 @@ Create a cross-tenant connection to manage a resource from another tenant. | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/scopeConnections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/scopeConnections) | +| `Microsoft.Network/networkManagers/scopeConnections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/scopeConnections) | ## Parameters @@ -71,6 +71,7 @@ A description of the scope connection. - Required: No - Type: string +- Default: `''` ## Outputs diff --git a/avm/res/network/network-manager/scope-connection/main.bicep b/avm/res/network/network-manager/scope-connection/main.bicep index 68c7bf5b4a..5220aa4b83 100644 --- a/avm/res/network/network-manager/scope-connection/main.bicep +++ b/avm/res/network/network-manager/scope-connection/main.bicep @@ -12,7 +12,7 @@ param name string @maxLength(500) @sys.description('Optional. A description of the scope connection.') -param description string? +param description string = '' @sys.description('Required. Enter the subscription or management group resource ID that you want to add to this network manager\'s scope.') param resourceId string @@ -20,15 +20,15 @@ param resourceId string @sys.description('Required. Tenant ID of the subscription or management group that you want to manage.') param tenantId string -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName } -resource scopeConnection 'Microsoft.Network/networkManagers/scopeConnections@2023-11-01' = { +resource scopeConnection 'Microsoft.Network/networkManagers/scopeConnections@2024-05-01' = { name: name parent: networkManager properties: { - description: description ?? '' + description: description resourceId: resourceId tenantId: tenantId } diff --git a/avm/res/network/network-manager/scope-connection/main.json b/avm/res/network/network-manager/scope-connection/main.json index 90a8185dd3..dbe463025d 100644 --- a/avm/res/network/network-manager/scope-connection/main.json +++ b/avm/res/network/network-manager/scope-connection/main.json @@ -1,15 +1,14 @@ { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "15079843378119506037" + "templateHash": "9741647790841164162" }, "name": "Network Manager Scope Connections", - "description": "This module deploys a Network Manager Scope Connection.\nCreate a cross-tenant connection to manage a resource from another tenant.", + "description": "This module deploys a Network Manager Scope Connection.\r\nCreate a cross-tenant connection to manage a resource from another tenant.", "owner": "Azure/module-maintainers" }, "parameters": { @@ -28,7 +27,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the scope connection." @@ -47,24 +46,18 @@ } } }, - "resources": { - "networkManager": { - "existing": true, - "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", - "name": "[parameters('networkManagerName')]" - }, - "scopeConnection": { + "resources": [ + { "type": "Microsoft.Network/networkManagers/scopeConnections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "resourceId": "[parameters('resourceId')]", "tenantId": "[parameters('tenantId')]" } } - }, + ], "outputs": { "name": { "type": "string", diff --git a/avm/res/network/network-manager/security-admin-configuration/README.md b/avm/res/network/network-manager/security-admin-configuration/README.md index f7f93d8b4f..2706a67429 100644 --- a/avm/res/network/network-manager/security-admin-configuration/README.md +++ b/avm/res/network/network-manager/security-admin-configuration/README.md @@ -13,9 +13,9 @@ A security admin configuration contains a set of rule collections. Each rule col | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | ## Parameters @@ -37,6 +37,7 @@ A security admin configuration contains a set of rule collections. Each rule col | Parameter | Type | Description | | :-- | :-- | :-- | | [`description`](#parameter-description) | string | A description of the security admin configuration. | +| [`networkGroupAddressSpaceAggregationOption`](#parameter-networkgroupaddressspaceaggregationoption) | string | Determine update behavior for changes to network groups referenced within the rules in this configuration. | | [`ruleCollections`](#parameter-rulecollections) | array | A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules. | ### Parameter: `applyOnNetworkIntentPolicyBasedServices` @@ -74,6 +75,22 @@ A description of the security admin configuration. - Required: No - Type: string +- Default: `''` + +### Parameter: `networkGroupAddressSpaceAggregationOption` + +Determine update behavior for changes to network groups referenced within the rules in this configuration. + +- Required: No +- Type: string +- Default: `'None'` +- Allowed: + ```Bicep + [ + 'Manual' + 'None' + ] + ``` ### Parameter: `ruleCollections` diff --git a/avm/res/network/network-manager/security-admin-configuration/main.bicep b/avm/res/network/network-manager/security-admin-configuration/main.bicep index 7f0c96f910..5a2f27005e 100644 --- a/avm/res/network/network-manager/security-admin-configuration/main.bicep +++ b/avm/res/network/network-manager/security-admin-configuration/main.bicep @@ -12,24 +12,32 @@ param name string @maxLength(500) @sys.description('Optional. A description of the security admin configuration.') -param description string? +param description string = '' @sys.description('Required. Enum list of network intent policy based services.') param applyOnNetworkIntentPolicyBasedServices applyOnNetworkIntentPolicyBasedServicesType +@allowed([ + 'None' + 'Manual' +]) +@sys.description('Optional. Determine update behavior for changes to network groups referenced within the rules in this configuration.') +param networkGroupAddressSpaceAggregationOption string = 'None' + @sys.description('Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules.') -param ruleCollections ruleCollectionType +param ruleCollections securityAdminConfigurationRuleCollectionType -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName } -resource securityAdminConfigurations 'Microsoft.Network/networkManagers/securityAdminConfigurations@2023-11-01' = { +resource securityAdminConfigurations 'Microsoft.Network/networkManagers/securityAdminConfigurations@2024-05-01' = { name: name parent: networkManager properties: { - description: description ?? '' + description: description applyOnNetworkIntentPolicyBasedServices: applyOnNetworkIntentPolicyBasedServices + networkGroupAddressSpaceAggregationOption: networkGroupAddressSpaceAggregationOption } } @@ -40,7 +48,7 @@ module securityAdminConfigurations_ruleCollections 'rule-collection/main.bicep' networkManagerName: networkManager.name securityAdminConfigurationName: securityAdminConfigurations.name name: ruleCollection.name - description: ruleCollection.?description ?? '' + description: ruleCollection.?description appliesToGroups: ruleCollection.appliesToGroups rules: ruleCollection.?rules ?? [] } @@ -60,9 +68,12 @@ output resourceGroupName string = resourceGroup().name // Definitions // // =============== // +@export() type applyOnNetworkIntentPolicyBasedServicesType = ('None' | 'All' | 'AllowRulesOnly')[] -type ruleCollectionType = { +import { appliesToGroupsType, rulesType } from './rule-collection/main.bicep' +@export() +type securityAdminConfigurationRuleCollectionType = { @sys.description('Required. The name of the admin rule collection.') name: string @@ -70,55 +81,8 @@ type ruleCollectionType = { description: string? @sys.description('Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group.') - appliesToGroups: { - @sys.description('Required. The resource ID of the network group.') - networkGroupResourceId: string - }[] + appliesToGroups: appliesToGroupsType @sys.description('Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.') - rules: { - @sys.description('Required. The name of the rule.') - name: string - - @sys.description('Required. Indicates the access allowed for this particular rule. "Allow" means traffic matching this rule will be allowed. "Deny" means traffic matching this rule will be blocked. "AlwaysAllow" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs.') - access: 'Allow' | 'AlwaysAllow' | 'Deny' - - @sys.description('Optional. A description of the rule.') - description: string? - - @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - destinationPortRanges: string[]? - - @sys.description('Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - destinations: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? - - @sys.description('Required. Indicates if the traffic matched against the rule in inbound or outbound.') - direction: 'Inbound' | 'Outbound' - - @minValue(1) - @maxValue(4096) - @sys.description('Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule.') - priority: int - - @sys.description('Required. Network protocol this rule applies to.') - protocol: 'Ah' | 'Any' | 'Esp' | 'Icmp' | 'Tcp' | 'Udp' - - @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - sourcePortRanges: string[]? - - @sys.description('Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - sources: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? - }[]? + rules: rulesType? }[]? diff --git a/avm/res/network/network-manager/security-admin-configuration/main.json b/avm/res/network/network-manager/security-admin-configuration/main.json index 00a3898765..fce3c9746e 100644 --- a/avm/res/network/network-manager/security-admin-configuration/main.json +++ b/avm/res/network/network-manager/security-admin-configuration/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "1513499222839675769" + "templateHash": "12859267430568475361" }, "name": "Network Manager Security Admin Configurations", - "description": "This module deploys an Network Manager Security Admin Configuration.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Network Manager Security Admin Configuration.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -19,9 +19,12 @@ "All", "AllowRulesOnly", "None" - ] + ], + "metadata": { + "__bicep_export!": true + } }, - "ruleCollectionType": { + "securityAdminConfigurationRuleCollectionType": { "type": "array", "items": { "type": "object", @@ -40,161 +43,13 @@ } }, "appliesToGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "networkGroupResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the network group." - } - } - } - }, + "$ref": "#/definitions/appliesToGroupsType", "metadata": { "description": "Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group." } }, "rules": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the rule." - } - }, - "access": { - "type": "string", - "allowedValues": [ - "Allow", - "AlwaysAllow", - "Deny" - ], - "metadata": { - "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A description of the rule." - } - }, - "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - }, - "direction": { - "type": "string", - "allowedValues": [ - "Inbound", - "Outbound" - ], - "metadata": { - "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." - } - }, - "priority": { - "type": "int", - "minValue": 1, - "maxValue": 4096, - "metadata": { - "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." - } - }, - "protocol": { - "type": "string", - "allowedValues": [ - "Ah", - "Any", - "Esp", - "Icmp", - "Tcp", - "Udp" - ], - "metadata": { - "description": "Required. Network protocol this rule applies to." - } - }, - "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." - } - }, - "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." - } - } - } - }, + "$ref": "#/definitions/rulesType", "nullable": true, "metadata": { "description": "Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail." @@ -202,7 +57,211 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "_1.destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "_1.sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/rule/main.bicep" + } + } + }, + "appliesToGroupsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "networkGroupResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the network group." + } + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } + }, + "rulesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the rule." + } + }, + "access": { + "type": "string", + "allowedValues": [ + "Allow", + "AlwaysAllow", + "Deny" + ], + "metadata": { + "description": "Required. Indicates the access allowed for this particular rule. \"Allow\" means traffic matching this rule will be allowed. \"Deny\" means traffic matching this rule will be blocked. \"AlwaysAllow\" means that traffic matching this rule will be allowed regardless of other rules with lower priority or user-defined NSGs." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A description of the rule." + } + }, + "destinationPortRanges": { + "$ref": "#/definitions/_1.destinationPortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "destinations": { + "$ref": "#/definitions/_1.destinationsType", + "nullable": true, + "metadata": { + "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + }, + "direction": { + "type": "string", + "allowedValues": [ + "Inbound", + "Outbound" + ], + "metadata": { + "description": "Required. Indicates if the traffic matched against the rule in inbound or outbound." + } + }, + "priority": { + "type": "int", + "minValue": 1, + "maxValue": 4096, + "metadata": { + "description": "Required. The priority of the rule. The value can be between 1 and 4096. The priority number must be unique for each rule in the collection. The lower the priority number, the higher the priority of the rule." + } + }, + "protocol": { + "type": "string", + "allowedValues": [ + "Ah", + "Any", + "Esp", + "Icmp", + "Tcp", + "Udp" + ], + "metadata": { + "description": "Required. Network protocol this rule applies to." + } + }, + "sourcePortRanges": { + "$ref": "#/definitions/_1.sourcePortRangesType", + "nullable": true, + "metadata": { + "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." + } + }, + "sources": { + "$ref": "#/definitions/_1.sourcesType", + "nullable": true, + "metadata": { + "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule-collection/main.bicep" + } + } } }, "parameters": { @@ -221,7 +280,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the security admin configuration." @@ -233,8 +292,19 @@ "description": "Required. Enum list of network intent policy based services." } }, + "networkGroupAddressSpaceAggregationOption": { + "type": "string", + "defaultValue": "None", + "allowedValues": [ + "None", + "Manual" + ], + "metadata": { + "description": "Optional. Determine update behavior for changes to network groups referenced within the rules in this configuration." + } + }, "ruleCollections": { - "$ref": "#/definitions/ruleCollectionType", + "$ref": "#/definitions/securityAdminConfigurationRuleCollectionType", "metadata": { "description": "Optional. A security admin configuration contains a set of rule collections that are applied to network groups. Each rule collection contains one or more security admin rules." } @@ -244,16 +314,17 @@ "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "securityAdminConfigurations": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", - "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]" + "description": "[parameters('description')]", + "applyOnNetworkIntentPolicyBasedServices": "[parameters('applyOnNetworkIntentPolicyBasedServices')]", + "networkGroupAddressSpaceAggregationOption": "[parameters('networkGroupAddressSpaceAggregationOption')]" } }, "securityAdminConfigurations_ruleCollections": { @@ -280,7 +351,7 @@ "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].name]" }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description'), '')]" + "value": "[tryGet(coalesce(parameters('ruleCollections'), createArray())[copyIndex()], 'description')]" }, "appliesToGroups": { "value": "[coalesce(parameters('ruleCollections'), createArray())[copyIndex()].appliesToGroups]" @@ -297,10 +368,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "2660798758480993366" + "templateHash": "11555299168771769835" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -316,6 +387,9 @@ } } } + }, + "metadata": { + "__bicep_export!": true } }, "rulesType": { @@ -348,38 +422,14 @@ } }, "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, + "$ref": "#/definitions/destinationPortRangesType", "nullable": true, "metadata": { "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." } }, "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, + "$ref": "#/definitions/destinationsType", "nullable": true, "metadata": { "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." @@ -418,38 +468,14 @@ } }, "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, + "$ref": "#/definitions/sourcePortRangesType", "nullable": true, "metadata": { "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." } }, "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, + "$ref": "#/definitions/sourcesType", "nullable": true, "metadata": { "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." @@ -457,7 +483,94 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } } }, "parameters": { @@ -482,7 +595,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the admin rule collection." @@ -505,27 +618,27 @@ "networkManager::securityAdminConfiguration": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "ruleCollection": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]" } }, - "securityAdminConfigurations_rules": { + "ruleCollection_rules": { "copy": { - "name": "securityAdminConfigurations_rules", + "name": "ruleCollection_rules", "count": "[length(coalesce(parameters('rules'), createArray()))]" }, "type": "Microsoft.Resources/deployments", @@ -553,7 +666,7 @@ "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].access]" }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description'), '')]" + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" }, "destinationPortRanges": { "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinationPortRanges'), createArray())]" @@ -585,10 +698,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17715910169740786334" + "templateHash": "11831246248888143865" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -597,7 +710,10 @@ "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "destinationsType": { "type": "array", @@ -622,14 +738,20 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcePortRangesType": { "type": "array", "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcesType": { "type": "array", @@ -654,7 +776,10 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -685,7 +810,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the rule." @@ -771,29 +896,29 @@ "networkManager::securityAdminConfiguration::ruleCollection": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'))]" }, "networkManager::securityAdminConfiguration": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "rule": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", "kind": "Custom", "properties": { "access": "[parameters('access')]", - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "destinationPortRanges": "[parameters('destinationPortRanges')]", "destinations": "[parameters('destinations')]", "direction": "[parameters('direction')]", diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/README.md b/avm/res/network/network-manager/security-admin-configuration/rule-collection/README.md index a411a209fb..695ecbbf57 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/README.md +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/README.md @@ -13,8 +13,8 @@ A security admin configuration contains a set of rule collections. Each rule col | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections) | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | ## Parameters @@ -86,6 +86,7 @@ A description of the admin rule collection. - Required: No - Type: string +- Default: `''` ### Parameter: `rules` diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.bicep b/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.bicep index 3996f08ff7..00ff251b2a 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.bicep +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.bicep @@ -15,7 +15,7 @@ param name string @maxLength(500) @sys.description('Optional. A description of the admin rule collection.') -param description string? +param description string = '' @sys.description('Required. List of network groups for configuration. An admin rule collection must be associated to at least one network group.') param appliesToGroups appliesToGroupsType @@ -23,26 +23,26 @@ param appliesToGroups appliesToGroupsType @sys.description('Optional. List of rules for the admin rules collection. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.') param rules rulesType -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName - resource securityAdminConfiguration 'securityAdminConfigurations@2023-11-01' existing = { + resource securityAdminConfiguration 'securityAdminConfigurations' existing = { name: securityAdminConfigurationName } } -resource ruleCollection 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections@2023-11-01' = { +resource ruleCollection 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections@2024-05-01' = { name: name parent: networkManager::securityAdminConfiguration properties: { - description: description ?? '' + description: description appliesToGroups: map(appliesToGroups, (group) => { networkGroupId: any(group.networkGroupResourceId) }) } } -module securityAdminConfigurations_rules 'rule/main.bicep' = [ +module ruleCollection_rules 'rule/main.bicep' = [ for (rule, index) in rules ?? []: { name: '${uniqueString(deployment().name)}-RuleCollections-Rules-${index}' params: { @@ -51,7 +51,7 @@ module securityAdminConfigurations_rules 'rule/main.bicep' = [ ruleCollectionName: ruleCollection.name name: rule.name access: rule.access - description: rule.?description ?? '' + description: rule.?description destinationPortRanges: rule.?destinationPortRanges ?? [] destinations: rule.?destinations ?? [] direction: rule.direction @@ -76,11 +76,14 @@ output resourceGroupName string = resourceGroup().name // Definitions // // =============== // +@export() type appliesToGroupsType = { @sys.description('Required. The resource ID of the network group.') networkGroupResourceId: string }[] +import { destinationPortRangesType, destinationsType, sourcePortRangesType, sourcesType } from './rule/main.bicep' +@export() type rulesType = { @sys.description('Required. The name of the rule.') name: string @@ -92,16 +95,10 @@ type rulesType = { description: string? @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - destinationPortRanges: string[]? + destinationPortRanges: destinationPortRangesType? @sys.description('Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - destinations: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? + destinations: destinationsType? @sys.description('Required. Indicates if the traffic matched against the rule in inbound or outbound.') direction: 'Inbound' | 'Outbound' @@ -115,14 +112,8 @@ type rulesType = { protocol: 'Ah' | 'Any' | 'Esp' | 'Icmp' | 'Tcp' | 'Udp' @sys.description('Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535.') - sourcePortRanges: string[]? + sourcePortRanges: sourcePortRangesType? @sys.description('Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') - sources: { - @sys.description('Required. Address prefix type.') - addressPrefixType: 'IPPrefix' | 'ServiceTag' - - @sys.description('Required. Address prefix.') - addressPrefix: string - }[]? + sources: sourcesType? }[]? diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.json b/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.json index 15d60bd4c2..b07a11e479 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.json +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "2660798758480993366" + "templateHash": "11555299168771769835" }, "name": "Network Manager Security Admin Configuration Rule Collections", - "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", + "description": "This module deploys an Network Manager Security Admin Configuration Rule Collection.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules. Security admin rules allows enforcing security policy criteria that matches the conditions set. Warning: A rule collection without rule will cause a deployment configuration for security admin goal state in network manager to fail.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -25,6 +25,9 @@ } } } + }, + "metadata": { + "__bicep_export!": true } }, "rulesType": { @@ -57,38 +60,14 @@ } }, "destinationPortRanges": { - "type": "array", - "items": { - "type": "string" - }, + "$ref": "#/definitions/destinationPortRangesType", "nullable": true, "metadata": { "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." } }, "destinations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, + "$ref": "#/definitions/destinationsType", "nullable": true, "metadata": { "description": "Optional. The destnations filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." @@ -127,38 +106,14 @@ } }, "sourcePortRanges": { - "type": "array", - "items": { - "type": "string" - }, + "$ref": "#/definitions/sourcePortRangesType", "nullable": true, "metadata": { "description": "Optional. List of destination port ranges. This specifies on which ports traffic will be allowed or denied by this rule. Provide an (*) to allow traffic on any port. Port ranges are between 1-65535." } }, "sources": { - "type": "array", - "items": { - "type": "object", - "properties": { - "addressPrefixType": { - "type": "string", - "allowedValues": [ - "IPPrefix", - "ServiceTag" - ], - "metadata": { - "description": "Required. Address prefix type." - } - }, - "addressPrefix": { - "type": "string", - "metadata": { - "description": "Required. Address prefix." - } - } - } - }, + "$ref": "#/definitions/sourcesType", "nullable": true, "metadata": { "description": "Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted." @@ -166,7 +121,94 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } + }, + "destinationPortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "destinationsType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcePortRangesType": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } + }, + "sourcesType": { + "type": "array", + "items": { + "type": "object", + "properties": { + "addressPrefixType": { + "type": "string", + "allowedValues": [ + "IPPrefix", + "ServiceTag" + ], + "metadata": { + "description": "Required. Address prefix type." + } + }, + "addressPrefix": { + "type": "string", + "metadata": { + "description": "Required. Address prefix." + } + } + } + }, + "nullable": true, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "rule/main.bicep" + } + } } }, "parameters": { @@ -191,7 +233,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the admin rule collection." @@ -214,27 +256,27 @@ "networkManager::securityAdminConfiguration": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "ruleCollection": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('name'))]", "properties": { - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "appliesToGroups": "[map(parameters('appliesToGroups'), lambda('group', createObject('networkGroupId', lambdaVariables('group').networkGroupResourceId)))]" } }, - "securityAdminConfigurations_rules": { + "ruleCollection_rules": { "copy": { - "name": "securityAdminConfigurations_rules", + "name": "ruleCollection_rules", "count": "[length(coalesce(parameters('rules'), createArray()))]" }, "type": "Microsoft.Resources/deployments", @@ -262,7 +304,7 @@ "value": "[coalesce(parameters('rules'), createArray())[copyIndex()].access]" }, "description": { - "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description'), '')]" + "value": "[tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'description')]" }, "destinationPortRanges": { "value": "[coalesce(tryGet(coalesce(parameters('rules'), createArray())[copyIndex()], 'destinationPortRanges'), createArray())]" @@ -294,10 +336,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17715910169740786334" + "templateHash": "11831246248888143865" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -306,7 +348,10 @@ "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "destinationsType": { "type": "array", @@ -331,14 +376,20 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcePortRangesType": { "type": "array", "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcesType": { "type": "array", @@ -363,7 +414,10 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -394,7 +448,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the rule." @@ -480,29 +534,29 @@ "networkManager::securityAdminConfiguration::ruleCollection": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'))]" }, "networkManager::securityAdminConfiguration": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "rule": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", "kind": "Custom", "properties": { "access": "[parameters('access')]", - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "destinationPortRanges": "[parameters('destinationPortRanges')]", "destinations": "[parameters('destinations')]", "direction": "[parameters('direction')]", diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/README.md b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/README.md index 58b537432d..280bf5c7dc 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/README.md +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/README.md @@ -13,7 +13,7 @@ A security admin configuration contains a set of rule collections. Each rule col | Resource Type | API Version | | :-- | :-- | -| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | +| `Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules` | [2024-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2024-05-01/networkManagers/securityAdminConfigurations/ruleCollections/rules) | ## Parameters @@ -143,6 +143,7 @@ A description of the rule. - Required: No - Type: string +- Default: `''` - MinValue: 1 - MaxValue: 4096 diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep index 9a4af7e812..88a46d4e97 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.bicep @@ -18,7 +18,7 @@ param name string @maxLength(500) @sys.description('Optional. A description of the rule.') -param description string? +param description string = '' @allowed([ 'Allow' @@ -63,25 +63,25 @@ param sourcePortRanges string[]? @sys.description('Optional. The source filter can be an IP Address or a service tag. Each filter contains the properties AddressPrefixType (IPPrefix or ServiceTag) and AddressPrefix (using CIDR notation (e.g. 192.168.99.0/24 or 2001:1234::/64) or a service tag (e.g. AppService.WestEurope)). Combining CIDR and Service tags in one rule filter is not permitted.') param sources sourcesType -resource networkManager 'Microsoft.Network/networkManagers@2023-11-01' existing = { +resource networkManager 'Microsoft.Network/networkManagers@2024-05-01' existing = { name: networkManagerName - resource securityAdminConfiguration 'securityAdminConfigurations@2023-11-01' existing = { + resource securityAdminConfiguration 'securityAdminConfigurations' existing = { name: securityAdminConfigurationName - resource ruleCollection 'ruleCollections@2023-11-01' existing = { + resource ruleCollection 'ruleCollections' existing = { name: ruleCollectionName } } } -resource rule 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2023-11-01' = { +resource rule 'Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules@2024-05-01' = { name: name parent: networkManager::securityAdminConfiguration::ruleCollection kind: 'Custom' properties: { access: access - description: description ?? '' + description: description destinationPortRanges: destinationPortRanges destinations: destinations direction: direction @@ -105,8 +105,10 @@ output resourceGroupName string = resourceGroup().name // Definitions // // =============== // +@export() type destinationPortRangesType = string[]? +@export() type destinationsType = { @sys.description('Required. Address prefix type.') addressPrefixType: 'IPPrefix' | 'ServiceTag' @@ -115,8 +117,10 @@ type destinationsType = { addressPrefix: string }[]? +@export() type sourcePortRangesType = string[]? +@export() type sourcesType = { @sys.description('Required. Address prefix type.') addressPrefixType: 'IPPrefix' | 'ServiceTag' diff --git a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.json b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.json index c6aab07910..0ee19fcd22 100644 --- a/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.json +++ b/avm/res/network/network-manager/security-admin-configuration/rule-collection/rule/main.json @@ -6,10 +6,10 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "17715910169740786334" + "templateHash": "11831246248888143865" }, "name": "Network Manager Security Admin Configuration Rule Collection Rules", - "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", + "description": "This module deploys an Azure Virtual Network Manager (AVNM) Security Admin Configuration Rule Collection Rule.\r\nA security admin configuration contains a set of rule collections. Each rule collection contains one or more security admin rules.", "owner": "Azure/module-maintainers" }, "definitions": { @@ -18,7 +18,10 @@ "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "destinationsType": { "type": "array", @@ -43,14 +46,20 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcePortRangesType": { "type": "array", "items": { "type": "string" }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } }, "sourcesType": { "type": "array", @@ -75,7 +84,10 @@ } } }, - "nullable": true + "nullable": true, + "metadata": { + "__bicep_export!": true + } } }, "parameters": { @@ -106,7 +118,7 @@ }, "description": { "type": "string", - "nullable": true, + "defaultValue": "", "maxLength": 500, "metadata": { "description": "Optional. A description of the rule." @@ -192,29 +204,29 @@ "networkManager::securityAdminConfiguration::ruleCollection": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'))]" }, "networkManager::securityAdminConfiguration": { "existing": true, "type": "Microsoft.Network/networkManagers/securityAdminConfigurations", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'))]" }, "networkManager": { "existing": true, "type": "Microsoft.Network/networkManagers", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[parameters('networkManagerName')]" }, "rule": { "type": "Microsoft.Network/networkManagers/securityAdminConfigurations/ruleCollections/rules", - "apiVersion": "2023-11-01", + "apiVersion": "2024-05-01", "name": "[format('{0}/{1}/{2}/{3}', parameters('networkManagerName'), parameters('securityAdminConfigurationName'), parameters('ruleCollectionName'), parameters('name'))]", "kind": "Custom", "properties": { "access": "[parameters('access')]", - "description": "[coalesce(parameters('description'), '')]", + "description": "[parameters('description')]", "destinationPortRanges": "[parameters('destinationPortRanges')]", "destinations": "[parameters('destinations')]", "direction": "[parameters('direction')]", diff --git a/avm/res/network/network-manager/tests/e2e/defaults/main.test.bicep b/avm/res/network/network-manager/tests/e2e/defaults/main.test.bicep index ed65356e84..2137e98961 100644 --- a/avm/res/network/network-manager/tests/e2e/defaults/main.test.bicep +++ b/avm/res/network/network-manager/tests/e2e/defaults/main.test.bicep @@ -43,9 +43,6 @@ module testDeployment '../../../main.bicep' = [ params: { name: '${namePrefix}${serviceShort}001' location: resourceLocation - networkManagerScopeAccesses: [ - 'Connectivity' - ] networkManagerScopes: { subscriptions: [ subscription().id diff --git a/avm/res/network/network-manager/tests/e2e/max/dependencies.bicep b/avm/res/network/network-manager/tests/e2e/max/dependencies.bicep index 88d5ceec42..109c4210d1 100644 --- a/avm/res/network/network-manager/tests/e2e/max/dependencies.bicep +++ b/avm/res/network/network-manager/tests/e2e/max/dependencies.bicep @@ -116,8 +116,14 @@ output virtualNetworkHubId string = virtualNetworkHub.id @description('The resource ID of the created Spoke 1 Virtual Network.') output virtualNetworkSpoke1Id string = virtualNetworkSpoke1.id +@description('The resource ID of the created Spoke 1 Virtual Network subnet.') +output virtualNetworkSpoke1SubnetId string = virtualNetworkSpoke1.properties.subnets[0].id + @description('The resource ID of the created Spoke 2 Virtual Network.') output virtualNetworkSpoke2Id string = virtualNetworkSpoke2.id +@description('The resource ID of the created Spoke 2 Virtual Network subnet.') +output virtualNetworkSpoke2SubnetId string = virtualNetworkSpoke2.properties.subnets[0].id + @description('The resource ID of the created Spoke 3 Virtual Network.') output virtualNetworkSpoke3Id string = virtualNetworkSpoke3.id diff --git a/avm/res/network/network-manager/tests/e2e/max/main.test.bicep b/avm/res/network/network-manager/tests/e2e/max/main.test.bicep index fe3ef45227..af38662098 100644 --- a/avm/res/network/network-manager/tests/e2e/max/main.test.bicep +++ b/avm/res/network/network-manager/tests/e2e/max/main.test.bicep @@ -88,6 +88,7 @@ module testDeployment '../../../main.bicep' = [ networkManagerScopeAccesses: [ 'Connectivity' 'SecurityAdmin' + 'Routing' ] networkManagerScopes: { managementGroups: [ @@ -99,6 +100,7 @@ module testDeployment '../../../main.bicep' = [ { name: 'network-group-spokes-1' description: 'network-group-spokes description' + memberType: 'VirtualNetwork' staticMembers: [ { name: 'virtualNetworkSpoke1' @@ -112,15 +114,31 @@ module testDeployment '../../../main.bicep' = [ } { name: 'network-group-spokes-2' + memberType: 'VirtualNetwork' staticMembers: [ { - name: 'virtualNetworkSpoke3' + name: 'default' resourceId: nestedDependencies.outputs.virtualNetworkSpoke3Id } ] } { name: 'network-group-spokes-3' + memberType: 'VirtualNetwork' + } + { + name: 'network-groups-subnets-1' + memberType: 'Subnet' + staticMembers: [ + { + name: 'virtualNetworkSpoke1-defaultSubnet' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke1SubnetId + } + { + name: 'virtualNetworkSpoke2-defaultSubnet' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke2SubnetId + } + ] } ] connectivityConfigurations: [ @@ -288,14 +306,67 @@ module testDeployment '../../../main.bicep' = [ ] } ] + routingConfigurations: [ + { + name: 'test-routing-config-1' + description: 'description of the routing config' + } + { + name: 'test-routing-config-2' + ruleCollections: [ + { + name: 'test-routing-rule-collection-1-subnet' + appliesTo: [ + { + networkGroupResourceId: '${networkManagerExpecetedResourceID}/networkGroups/network-groups-subnets-1' + } + ] + disableBgpRoutePropagation: false + rules: [ + { + name: 'test-routing-rule-1' + destination: { + destinationAddress: 'AzureCloud' + type: 'ServiceTag' + } + nextHop: { + nextHopType: 'VnetLocal' + } + } + { + name: 'test-routing-rule-2' + destination: { + destinationAddress: '10.10.10.10/32' + type: 'AddressPrefix' + } + nextHop: { + nextHopType: 'VirtualAppliance' + nextHopAddress: '192.168.1.1' + } + } + ] + } + ] + } + { + name: 'test-routing-config-3' + ruleCollections: [ + { + name: 'test-routing-rule-collection-2-virtual-network' + appliesTo: [ + { + networkGroupResourceId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes-1' + } + ] + } + ] + } + ] tags: { 'hidden-title': 'This is visible in the resource name' Environment: 'Non-Prod' Role: 'DeploymentValidation' } } - dependsOn: [ - nestedDependencies - ] } ] diff --git a/avm/res/network/network-manager/version.json b/avm/res/network/network-manager/version.json index 3f863a2bec..04a0dd1a80 100644 --- a/avm/res/network/network-manager/version.json +++ b/avm/res/network/network-manager/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.4", + "version": "0.5", "pathFilters": [ "./main.json" ] -} \ No newline at end of file +}