diff --git a/.github/actions/templates/avm-validateModuleDeployment/action.yml b/.github/actions/templates/avm-validateModuleDeployment/action.yml index 391cc1bdd7..24414d92c4 100644 --- a/.github/actions/templates/avm-validateModuleDeployment/action.yml +++ b/.github/actions/templates/avm-validateModuleDeployment/action.yml @@ -211,7 +211,8 @@ runs: # Add custom parameters as needed if($moduleTemplatePossibleParameters -contains 'resourceLocation') { $functionInput.AdditionalParameters += @{ - resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}' + # resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}' + resourceLocation = 'eastus' } } if($moduleTemplatePossibleParameters -contains 'baseTime') { @@ -290,7 +291,8 @@ runs: if($moduleTemplatePossibleParameters -contains 'resourceLocation') { $functionInput.AdditionalParameters += @{ - resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}' + # resourceLocation = '${{ steps.get-resource-location.outputs.resourceLocation }}' + resourceLocation = 'eastus' } } if($moduleTemplatePossibleParameters -contains 'baseTime') { diff --git a/.github/workflows/avm.res.digital-twins.digital-twins-instance.yml b/.github/workflows/avm.res.digital-twins.digital-twins-instance.yml index 19957c038a..26c507a477 100644 --- a/.github/workflows/avm.res.digital-twins.digital-twins-instance.yml +++ b/.github/workflows/avm.res.digital-twins.digital-twins-instance.yml @@ -82,7 +82,9 @@ jobs: uses: ./.github/workflows/avm.template.module.yml with: workflowInput: "${{ needs.job_initialize_pipeline.outputs.workflowInput }}" - moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + # moduleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.moduleTestFilePaths }}" + moduleTestFilePaths: "[{\"path\":\"tests/e2e/max/main.test.bicep\",\"name\":\"max\"}]" + # moduleTestFilePaths: "[{\"path\":\"tests/e2e/testMe/main.test.bicep\",\"name\":\"testMe\"}]" psRuleModuleTestFilePaths: "${{ needs.job_initialize_pipeline.outputs.psRuleModuleTestFilePaths }}" modulePath: "${{ needs.job_initialize_pipeline.outputs.modulePath}}" secrets: inherit diff --git a/avm/res/digital-twins/digital-twins-instance/README.md b/avm/res/digital-twins/digital-twins-instance/README.md index ac4beeb9a4..5a67a66605 100644 --- a/avm/res/digital-twins/digital-twins-instance/README.md +++ b/avm/res/digital-twins/digital-twins-instance/README.md @@ -20,8 +20,8 @@ This module deploys an Azure Digital Twins Instance. | `Microsoft.DigitalTwins/digitalTwinsInstances` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances) | | `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | | `Microsoft.Insights/diagnosticSettings` | [2021-05-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-05-01-preview/diagnosticSettings) | -| `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) | -| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) | +| `Microsoft.Network/privateEndpoints` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints) | +| `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-11-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-11-01/privateEndpoints/privateDnsZoneGroups) | ## Usage examples @@ -119,19 +119,76 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta workspaceResourceId: '' } ] - eventGridEndpoints: [ + endpoints: [ { - eventGridDomainId: '' - topicEndpoint: '' + name: 'EventGridPrimary' + properties: { + endpointType: 'EventGrid' + eventGridTopicResourceId: '' + } + } + { + name: 'IdentityBasedEndpoint' + properties: { + authentication: { + eventHubResourceId: '' + type: 'IdentityBased' + } + endpointType: 'EventHub' + managedIdentities: { + userAssignedResourceIds: [ + '' + ] + } + } + } + { + name: 'KeyBasedEndpoint' + properties: { + authentication: { + eventHubAuthorizationRuleName: '' + eventHubResourceId: '' + type: 'KeyBased' + } + endpointType: 'EventHub' + managedIdentities: { + userAssignedResourceIds: [ + '' + ] + } + } } - ] - eventHubEndpoints: [ { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' + name: 'IdentityBasedServiceBusPrimaryEndpoint' + properties: { + authentication: { + serviceBusNamespaceTopicResourceId: '' + type: 'IdentityBased' + } + endpointType: 'ServiceBus' + } + } + { + name: 'IdentityBasedServiceBusSecondaryEndpoint' + properties: { + authentication: { + serviceBusNamespaceTopicResourceId: '' + type: 'IdentityBased' + } + endpointType: 'ServiceBus' + managedIdentities: { + systemAssigned: true + } + } + } + { + name: 'KeyBasedServiceBusEndpoint' + properties: { + authentication: { + serviceBusNamespaceAuthorizationRuleResourceId: '' + type: 'KeyBased' + } + endpointType: 'ServiceBus' } } ] @@ -148,9 +205,13 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta } privateEndpoints: [ { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } ] @@ -171,26 +232,6 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta roleDefinitionIdOrName: '' } ] - serviceBusEndpoints: [ - { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - name: 'ServiceBusPrimary' - } - { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - systemAssigned: true - } - name: 'ServiceBusSeconday' - } - ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -233,22 +274,77 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta } ] }, - "eventGridEndpoints": { + "endpoints": { "value": [ { - "eventGridDomainId": "", - "topicEndpoint": "" - } - ] - }, - "eventHubEndpoints": { - "value": [ + "name": "EventGridPrimary", + "properties": { + "endpointType": "EventGrid", + "eventGridTopicResourceId": "" + } + }, + { + "name": "IdentityBasedEndpoint", + "properties": { + "authentication": { + "eventHubResourceId": "", + "type": "IdentityBased" + }, + "endpointType": "EventHub", + "managedIdentities": { + "userAssignedResourceIds": [ + "" + ] + } + } + }, + { + "name": "KeyBasedEndpoint", + "properties": { + "authentication": { + "eventHubAuthorizationRuleName": "", + "eventHubResourceId": "", + "type": "KeyBased" + }, + "endpointType": "EventHub", + "managedIdentities": { + "userAssignedResourceIds": [ + "" + ] + } + } + }, { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" + "name": "IdentityBasedServiceBusPrimaryEndpoint", + "properties": { + "authentication": { + "serviceBusNamespaceTopicResourceId": "", + "type": "IdentityBased" + }, + "endpointType": "ServiceBus" + } + }, + { + "name": "IdentityBasedServiceBusSecondaryEndpoint", + "properties": { + "authentication": { + "serviceBusNamespaceTopicResourceId": "", + "type": "IdentityBased" + }, + "endpointType": "ServiceBus", + "managedIdentities": { + "systemAssigned": true + } + } + }, + { + "name": "KeyBasedServiceBusEndpoint", + "properties": { + "authentication": { + "serviceBusNamespaceAuthorizationRuleResourceId": "", + "type": "KeyBased" + }, + "endpointType": "ServiceBus" } } ] @@ -273,9 +369,13 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta "privateEndpoints": { "value": [ { - "privateDnsZoneResourceIds": [ - "" - ], + "privateDnsZoneGroup": { + "privateDnsZoneGroupConfigs": [ + { + "privateDnsZoneResourceId": "" + } + ] + }, "subnetResourceId": "" } ] @@ -299,28 +399,6 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta } ] }, - "serviceBusEndpoints": { - "value": [ - { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "userAssignedResourceId": "" - }, - "name": "ServiceBusPrimary" - }, - { - "authenticationType": "IdentityBased", - "endpointUri": "", - "entityPath": "", - "managedIdentities": { - "systemAssigned": true - }, - "name": "ServiceBusSeconday" - } - ] - }, "tags": { "value": { "Environment": "Non-Prod", @@ -359,19 +437,76 @@ param diagnosticSettings = [ workspaceResourceId: '' } ] -param eventGridEndpoints = [ +param endpoints = [ { - eventGridDomainId: '' - topicEndpoint: '' + name: 'EventGridPrimary' + properties: { + endpointType: 'EventGrid' + eventGridTopicResourceId: '' + } } -] -param eventHubEndpoints = [ { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' + name: 'IdentityBasedEndpoint' + properties: { + authentication: { + eventHubResourceId: '' + type: 'IdentityBased' + } + endpointType: 'EventHub' + managedIdentities: { + userAssignedResourceIds: [ + '' + ] + } + } + } + { + name: 'KeyBasedEndpoint' + properties: { + authentication: { + eventHubAuthorizationRuleName: '' + eventHubResourceId: '' + type: 'KeyBased' + } + endpointType: 'EventHub' + managedIdentities: { + userAssignedResourceIds: [ + '' + ] + } + } + } + { + name: 'IdentityBasedServiceBusPrimaryEndpoint' + properties: { + authentication: { + serviceBusNamespaceTopicResourceId: '' + type: 'IdentityBased' + } + endpointType: 'ServiceBus' + } + } + { + name: 'IdentityBasedServiceBusSecondaryEndpoint' + properties: { + authentication: { + serviceBusNamespaceTopicResourceId: '' + type: 'IdentityBased' + } + endpointType: 'ServiceBus' + managedIdentities: { + systemAssigned: true + } + } + } + { + name: 'KeyBasedServiceBusEndpoint' + properties: { + authentication: { + serviceBusNamespaceAuthorizationRuleResourceId: '' + type: 'KeyBased' + } + endpointType: 'ServiceBus' } } ] @@ -388,9 +523,13 @@ param managedIdentities = { } param privateEndpoints = [ { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } ] @@ -411,26 +550,6 @@ param roleAssignments = [ roleDefinitionIdOrName: '' } ] -param serviceBusEndpoints = [ - { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - userAssignedResourceId: '' - } - name: 'ServiceBusPrimary' - } - { - authenticationType: 'IdentityBased' - endpointUri: '' - entityPath: '' - managedIdentities: { - systemAssigned: true - } - name: 'ServiceBusSeconday' - } -] param tags = { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -457,18 +576,25 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta // Required parameters name: 'dtdpep001' // Non-required parameters - location: '' privateEndpoints: [ { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } ] @@ -493,21 +619,26 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta "value": "dtdpep001" }, // Non-required parameters - "location": { - "value": "" - }, "privateEndpoints": { "value": [ { - "privateDnsZoneResourceIds": [ - "" - ], + "privateDnsZoneGroup": { + "privateDnsZoneGroupConfigs": [ + { + "privateDnsZoneResourceId": "" + } + ] + }, "subnetResourceId": "" }, { - "privateDnsZoneResourceIds": [ - "" - ], + "privateDnsZoneGroup": { + "privateDnsZoneGroupConfigs": [ + { + "privateDnsZoneResourceId": "" + } + ] + }, "subnetResourceId": "" } ] @@ -529,18 +660,25 @@ using 'br/public:avm/res/digital-twins/digital-twins-instance:' // Required parameters param name = 'dtdpep001' // Non-required parameters -param location = '' param privateEndpoints = [ { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } { - privateDnsZoneResourceIds: [ - '' - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } subnetResourceId: '' } ] @@ -573,7 +711,28 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta workspaceResourceId: '' } ] - location: '' + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } + subnetResourceId: '' + } + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } + subnetResourceId: '' + } + ] tags: { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -610,8 +769,29 @@ module digitalTwinsInstance 'br/public:avm/res/digital-twins/digital-twins-insta } ] }, - "location": { - "value": "" + "privateEndpoints": { + "value": [ + { + "privateDnsZoneGroup": { + "privateDnsZoneGroupConfigs": [ + { + "privateDnsZoneResourceId": "" + } + ] + }, + "subnetResourceId": "" + }, + { + "privateDnsZoneGroup": { + "privateDnsZoneGroupConfigs": [ + { + "privateDnsZoneResourceId": "" + } + ] + }, + "subnetResourceId": "" + } + ] }, "tags": { "value": { @@ -645,7 +825,28 @@ param diagnosticSettings = [ workspaceResourceId: '' } ] -param location = '' +param privateEndpoints = [ + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } + subnetResourceId: '' + } + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: '' + } + ] + } + subnetResourceId: '' + } +] param tags = { Environment: 'Non-Prod' 'hidden-title': 'This is visible in the resource name' @@ -670,15 +871,13 @@ param tags = { | :-- | :-- | :-- | | [`diagnosticSettings`](#parameter-diagnosticsettings) | array | The diagnostic settings of the service. | | [`enableTelemetry`](#parameter-enabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`eventGridEndpoints`](#parameter-eventgridendpoints) | array | Event Grid Endpoint. | -| [`eventHubEndpoints`](#parameter-eventhubendpoints) | array | Event Hub Endpoint. | +| [`endpoints`](#parameter-endpoints) | array | The endpoints of the service. | | [`location`](#parameter-location) | string | Location for all resources. | | [`lock`](#parameter-lock) | object | The lock settings of the service. | | [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. | | [`privateEndpoints`](#parameter-privateendpoints) | array | Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible. | | [`publicNetworkAccess`](#parameter-publicnetworkaccess) | string | Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set. | | [`roleAssignments`](#parameter-roleassignments) | array | Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'. | -| [`serviceBusEndpoints`](#parameter-servicebusendpoints) | array | Service Bus Endpoint. | | [`tags`](#parameter-tags) | object | Resource tags. | ### Parameter: `name` @@ -705,7 +904,7 @@ The diagnostic settings of the service. | [`logCategoriesAndGroups`](#parameter-diagnosticsettingslogcategoriesandgroups) | array | The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection. | | [`marketplacePartnerResourceId`](#parameter-diagnosticsettingsmarketplacepartnerresourceid) | string | The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs. | | [`metricCategories`](#parameter-diagnosticsettingsmetriccategories) | array | The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection. | -| [`name`](#parameter-diagnosticsettingsname) | string | The name of diagnostic setting. | +| [`name`](#parameter-diagnosticsettingsname) | string | The name of the diagnostic setting. | | [`storageAccountResourceId`](#parameter-diagnosticsettingsstorageaccountresourceid) | string | Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | | [`workspaceResourceId`](#parameter-diagnosticsettingsworkspaceresourceid) | string | Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub. | @@ -815,7 +1014,7 @@ Enable or disable the category explicitly. Default is `true`. ### Parameter: `diagnosticSettings.name` -The name of diagnostic setting. +The name of the diagnostic setting. - Required: No - Type: string @@ -842,19 +1041,38 @@ Enable/Disable usage telemetry for module. - Type: bool - Default: `True` -### Parameter: `eventGridEndpoints` +### Parameter: `endpoints` -Event Grid Endpoint. +The endpoints of the service. - Required: No - Type: array -### Parameter: `eventHubEndpoints` +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`properties`](#parameter-endpointsproperties) | object | The properties of the endpoint. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-endpointsname) | string | The name of the Digital Twin Endpoint. | -Event Hub Endpoint. +### Parameter: `endpoints.properties` + +The properties of the endpoint. + +- Required: Yes +- Type: object + +### Parameter: `endpoints.name` + +The name of the Digital Twin Endpoint. - Required: No -- Type: array +- Type: string ### Parameter: `location` @@ -912,7 +1130,7 @@ The managed identity definition for this resource. | Parameter | Type | Description | | :-- | :-- | :-- | | [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. | +| [`userAssignedResourceIds`](#parameter-managedidentitiesuserassignedresourceids) | array | The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. | ### Parameter: `managedIdentities.systemAssigned` @@ -923,7 +1141,7 @@ Enables system assigned managed identity on the resource. ### Parameter: `managedIdentities.userAssignedResourceIds` -The resource ID(s) to assign to the resource. +The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption. - Required: No - Type: array @@ -945,23 +1163,22 @@ Configuration details for private endpoints. For security reasons, it is recomme | Parameter | Type | Description | | :-- | :-- | :-- | -| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the private endpoint IP configuration is included. | +| [`applicationSecurityGroupResourceIds`](#parameter-privateendpointsapplicationsecuritygroupresourceids) | array | Application security groups in which the Private Endpoint IP configuration is included. | | [`customDnsConfigs`](#parameter-privateendpointscustomdnsconfigs) | array | Custom DNS configurations. | -| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the private endpoint. | +| [`customNetworkInterfaceName`](#parameter-privateendpointscustomnetworkinterfacename) | string | The custom name of the network interface attached to the Private Endpoint. | | [`enableTelemetry`](#parameter-privateendpointsenabletelemetry) | bool | Enable/Disable usage telemetry for module. | -| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. | +| [`ipConfigurations`](#parameter-privateendpointsipconfigurations) | array | A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. | | [`isManualConnection`](#parameter-privateendpointsismanualconnection) | bool | If Manual Private Link Connection is required. | -| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the private endpoint to. | +| [`location`](#parameter-privateendpointslocation) | string | The location to deploy the Private Endpoint to. | | [`lock`](#parameter-privateendpointslock) | object | Specify the type of lock. | | [`manualConnectionRequestMessage`](#parameter-privateendpointsmanualconnectionrequestmessage) | string | A message passed to the owner of the remote resource with the manual connection request. | -| [`name`](#parameter-privateendpointsname) | string | The name of the private endpoint. | -| [`privateDnsZoneGroupName`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. | -| [`privateDnsZoneResourceIds`](#parameter-privateendpointsprivatednszoneresourceids) | array | The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. | +| [`name`](#parameter-privateendpointsname) | string | The name of the Private Endpoint. | +| [`privateDnsZoneGroup`](#parameter-privateendpointsprivatednszonegroup) | object | The private DNS Zone Group to configure for the Private Endpoint. | | [`privateLinkServiceConnectionName`](#parameter-privateendpointsprivatelinkserviceconnectionname) | string | The name of the private link connection to create. | -| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Privte Endpoint into a different resource group than the main resource. | +| [`resourceGroupName`](#parameter-privateendpointsresourcegroupname) | string | Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. | | [`roleAssignments`](#parameter-privateendpointsroleassignments) | array | Array of role assignments to create. | -| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". | -| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/resource groups in this deployment. | +| [`service`](#parameter-privateendpointsservice) | string | The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. | +| [`tags`](#parameter-privateendpointstags) | object | Tags to be applied on all resources/Resource Groups in this deployment. | ### Parameter: `privateEndpoints.subnetResourceId` @@ -972,7 +1189,7 @@ Resource ID of the subnet where the endpoint needs to be created. ### Parameter: `privateEndpoints.applicationSecurityGroupResourceIds` -Application security groups in which the private endpoint IP configuration is included. +Application security groups in which the Private Endpoint IP configuration is included. - Required: No - Type: array @@ -1012,7 +1229,7 @@ FQDN that resolves to private endpoint IP address. ### Parameter: `privateEndpoints.customNetworkInterfaceName` -The custom name of the network interface attached to the private endpoint. +The custom name of the network interface attached to the Private Endpoint. - Required: No - Type: string @@ -1026,7 +1243,7 @@ Enable/Disable usage telemetry for module. ### Parameter: `privateEndpoints.ipConfigurations` -A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints. +A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints. - Required: No - Type: array @@ -1090,7 +1307,7 @@ If Manual Private Link Connection is required. ### Parameter: `privateEndpoints.location` -The location to deploy the private endpoint to. +The location to deploy the Private Endpoint to. - Required: No - Type: string @@ -1140,24 +1357,69 @@ A message passed to the owner of the remote resource with the manual connection ### Parameter: `privateEndpoints.name` -The name of the private endpoint. +The name of the Private Endpoint. - Required: No - Type: string -### Parameter: `privateEndpoints.privateDnsZoneGroupName` +### Parameter: `privateEndpoints.privateDnsZoneGroup` -The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided. +The private DNS Zone Group to configure for the Private Endpoint. - Required: No +- Type: object + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`privateDnsZoneGroupConfigs`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigs) | array | The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-privateendpointsprivatednszonegroupname) | string | The name of the Private DNS Zone Group. | + +### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs` + +The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones. + +- Required: Yes +- Type: array + +**Required parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`privateDnsZoneResourceId`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsprivatednszoneresourceid) | string | The resource id of the private DNS zone. | + +**Optional parameters** + +| Parameter | Type | Description | +| :-- | :-- | :-- | +| [`name`](#parameter-privateendpointsprivatednszonegroupprivatednszonegroupconfigsname) | string | The name of the private DNS Zone Group config. | + +### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.privateDnsZoneResourceId` + +The resource id of the private DNS zone. + +- Required: Yes - Type: string -### Parameter: `privateEndpoints.privateDnsZoneResourceIds` +### Parameter: `privateEndpoints.privateDnsZoneGroup.privateDnsZoneGroupConfigs.name` -The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones. +The name of the private DNS Zone Group config. - Required: No -- Type: array +- Type: string + +### Parameter: `privateEndpoints.privateDnsZoneGroup.name` + +The name of the Private DNS Zone Group. + +- Required: No +- Type: string ### Parameter: `privateEndpoints.privateLinkServiceConnectionName` @@ -1168,7 +1430,7 @@ The name of the private link connection to create. ### Parameter: `privateEndpoints.resourceGroupName` -Specify if you want to deploy the Privte Endpoint into a different resource group than the main resource. +Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource. - Required: No - Type: string @@ -1189,7 +1451,7 @@ Array of role assignments to create. - `'Owner'` - `'Private DNS Zone Contributor'` - `'Reader'` - - `'Role Based Access Control Administrator (Preview)'` + - `'Role Based Access Control Administrator'` **Required parameters** @@ -1206,6 +1468,7 @@ Array of role assignments to create. | [`conditionVersion`](#parameter-privateendpointsroleassignmentsconditionversion) | string | Version of the condition. | | [`delegatedManagedIdentityResourceId`](#parameter-privateendpointsroleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | | [`description`](#parameter-privateendpointsroleassignmentsdescription) | string | The description of the role assignment. | +| [`name`](#parameter-privateendpointsroleassignmentsname) | string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. | | [`principalType`](#parameter-privateendpointsroleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | ### Parameter: `privateEndpoints.roleAssignments.principalId` @@ -1256,6 +1519,13 @@ The description of the role assignment. - Required: No - Type: string +### Parameter: `privateEndpoints.roleAssignments.name` + +The name (as GUID) of the role assignment. If not provided, a GUID will be generated. + +- Required: No +- Type: string + ### Parameter: `privateEndpoints.roleAssignments.principalType` The principal type of the assigned principal ID. @@ -1275,14 +1545,14 @@ The principal type of the assigned principal ID. ### Parameter: `privateEndpoints.service` -The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory". +The subresource to deploy the Private Endpoint for. For example "vault" for a Key Vault Private Endpoint. - Required: No - Type: string ### Parameter: `privateEndpoints.tags` -Tags to be applied on all resources/resource groups in this deployment. +Tags to be applied on all resources/Resource Groups in this deployment. - Required: No - Type: object @@ -1333,6 +1603,7 @@ Array of role assignment objects that contain the 'roleDefinitionIdOrName' and ' | [`conditionVersion`](#parameter-roleassignmentsconditionversion) | string | Version of the condition. | | [`delegatedManagedIdentityResourceId`](#parameter-roleassignmentsdelegatedmanagedidentityresourceid) | string | The Resource Id of the delegated managed identity resource. | | [`description`](#parameter-roleassignmentsdescription) | string | The description of the role assignment. | +| [`name`](#parameter-roleassignmentsname) | string | The name (as GUID) of the role assignment. If not provided, a GUID will be generated. | | [`principalType`](#parameter-roleassignmentsprincipaltype) | string | The principal type of the assigned principal ID. | ### Parameter: `roleAssignments.principalId` @@ -1383,6 +1654,13 @@ The description of the role assignment. - Required: No - Type: string +### Parameter: `roleAssignments.name` + +The name (as GUID) of the role assignment. If not provided, a GUID will be generated. + +- Required: No +- Type: string + ### Parameter: `roleAssignments.principalType` The principal type of the assigned principal ID. @@ -1400,13 +1678,6 @@ The principal type of the assigned principal ID. ] ``` -### Parameter: `serviceBusEndpoints` - -Service Bus Endpoint. - -- Required: No -- Type: array - ### Parameter: `tags` Resource tags. @@ -1421,6 +1692,7 @@ Resource tags. | `hostname` | string | The hostname of the Digital Twins Instance. | | `location` | string | The location the resource was deployed into. | | `name` | string | The name of the Digital Twins Instance. | +| `privateEndpoints` | array | The private endpoints of the key vault. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | | `resourceId` | string | The resource ID of the Digital Twins Instance. | | `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. | @@ -1431,7 +1703,8 @@ This section gives you an overview of all local-referenced module files (i.e., o | Reference | Type | | :-- | :-- | -| `br/public:avm/res/network/private-endpoint:0.4.1` | Remote reference | +| `br/public:avm/res/network/private-endpoint:0.9.0` | Remote reference | +| `br/public:avm/utl/types/avm-common-types:0.4.1` | Remote reference | ## Data Collection diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep b/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep deleted file mode 100644 index 5b975da92c..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.bicep +++ /dev/null @@ -1,49 +0,0 @@ -metadata name = 'Digital Twins Instance Event Grid Endpoints' -metadata description = 'This module deploys a Digital Twins Instance Event Grid Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'EventGridEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@description('Required. EventGrid Topic Endpoint.') -param topicEndpoint string - -@description('Required. The resource ID of the Event Grid to get access keys from.') -param eventGridDomainResourceId string - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'EventGrid' - authenticationType: 'KeyBased' - TopicEndpoint: topicEndpoint - accessKey1: listkeys(eventGridDomainResourceId, '2022-06-15').key1 - accessKey2: listkeys(eventGridDomainResourceId, '2022-06-15').key2 - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.json b/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.json deleted file mode 100644 index 3cc9c4dc57..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/main.json +++ /dev/null @@ -1,94 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "14357918051528584394" - }, - "name": "Digital Twins Instance Event Grid Endpoints", - "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventGridEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "topicEndpoint": { - "type": "string", - "metadata": { - "description": "Required. EventGrid Topic Endpoint." - } - }, - "eventGridDomainResourceId": { - "type": "string", - "metadata": { - "description": "Required. The resource ID of the Event Grid to get access keys from." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - } - }, - "resources": [ - { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventGrid", - "authenticationType": "KeyBased", - "TopicEndpoint": "[parameters('topicEndpoint')]", - "accessKey1": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key1]", - "accessKey2": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key2]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]" - } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } -} \ No newline at end of file diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/README.md b/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/README.md deleted file mode 100644 index 991679f17e..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/README.md +++ /dev/null @@ -1,152 +0,0 @@ -# Digital Twins Instance EventHub Endpoint `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` - -This module deploys a Digital Twins Instance EventHub Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`connectionStringPrimaryKey`](#parameter-connectionstringprimarykey) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | -| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| [`connectionStringSecondaryKey`](#parameter-connectionstringsecondarykey) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`endpointUri`](#parameter-endpointuri) | string | The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). | -| [`entityPath`](#parameter-entitypath) | string | The EventHub name in the EventHub namespace for identity-based authentication. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | - -### Parameter: `connectionStringPrimaryKey` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `authenticationType` - -Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. - -- Required: No -- Type: string -- Default: `'IdentityBased'` -- Allowed: - ```Bicep - [ - 'IdentityBased' - 'KeyBased' - ] - ``` - -### Parameter: `connectionStringSecondaryKey` - -SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `endpointUri` - -The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `entityPath` - -The EventHub name in the EventHub namespace for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceId` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: string - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'EventHubEndpoint'` - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Endpoint. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Endpoint. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API. | diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep b/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep deleted file mode 100644 index dedec8cd2a..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.bicep +++ /dev/null @@ -1,94 +0,0 @@ -metadata name = 'Digital Twins Instance EventHub Endpoint' -metadata description = 'This module deploys a Digital Twins Instance EventHub Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'EventHubEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@allowed([ - 'IdentityBased' - 'KeyBased' -]) -@description('Optional. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is selected, the endpointUri and entityPath properties must be specified.') -param authenticationType string = 'IdentityBased' - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -@description('Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased".') -@secure() -param connectionStringPrimaryKey string = '' - -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') -@secure() -param connectionStringSecondaryKey string = '' - -@description('Optional. The EventHub name in the EventHub namespace for identity-based authentication.') -param entityPath string = '' - -@description('Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol \'sb://\' (i.e. sb://xyz.servicebus.windows.net).') -param endpointUri string = '' - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -var identity = !empty(managedIdentities) - ? { - type: (managedIdentities.?systemAssigned ?? false) - ? 'SystemAssigned' - : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) - userAssignedIdentity: managedIdentities.?userAssignedResourceId - } - : null - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'EventHub' - authenticationType: authenticationType - connectionStringPrimaryKey: connectionStringPrimaryKey - connectionStringSecondaryKey: connectionStringSecondaryKey - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - endpointUri: endpointUri - entityPath: entityPath - identity: identity - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name - -@description('The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API.') -#disable-next-line BCP187 -output systemAssignedMIPrincipalId string = endpoint.?identity.?principalId ?? '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceId: string? -}? diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.json b/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.json deleted file mode 100644 index 881940b38a..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-hub/main.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "13923156882372448729" - }, - "name": "Digital Twins Instance EventHub Endpoint", - "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventHubEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "connectionStringPrimaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "connectionStringSecondaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The EventHub name in the EventHub namespace for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(parameters('managedIdentities'), 'userAssignedResourceId')), null())]" - }, - "resources": { - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "EventHub", - "authenticationType": "[parameters('authenticationType')]", - "connectionStringPrimaryKey": "[parameters('connectionStringPrimaryKey')]", - "connectionStringSecondaryKey": "[parameters('connectionStringSecondaryKey')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "identity": "[variables('identity')]" - } - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API." - }, - "value": "[coalesce(tryGet(tryGet(reference('endpoint', '2023-01-31', 'full'), 'identity'), 'principalId'), '')]" - } - } -} \ No newline at end of file diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/README.md b/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/README.md deleted file mode 100644 index 308a5bdb75..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/README.md +++ /dev/null @@ -1,152 +0,0 @@ -# Digital Twins Instance ServiceBus Endpoint `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` - -This module deploys a Digital Twins Instance ServiceBus Endpoint. - -## Navigation - -- [Resource Types](#Resource-Types) -- [Parameters](#Parameters) -- [Outputs](#Outputs) - -## Resource Types - -| Resource Type | API Version | -| :-- | :-- | -| `Microsoft.DigitalTwins/digitalTwinsInstances/endpoints` | [2023-01-31](https://learn.microsoft.com/en-us/azure/templates/Microsoft.DigitalTwins/2023-01-31/digitalTwinsInstances/endpoints) | - -## Parameters - -**Conditional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | -| [`primaryConnectionString`](#parameter-primaryconnectionstring) | securestring | PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". | - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`authenticationType`](#parameter-authenticationtype) | string | Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`endpointUri`](#parameter-endpointuri) | string | The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). | -| [`entityPath`](#parameter-entitypath) | string | The ServiceBus Topic name for identity-based authentication. | -| [`managedIdentities`](#parameter-managedidentities) | object | The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | -| [`secondaryConnectionString`](#parameter-secondaryconnectionstring) | securestring | SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". | - -### Parameter: `digitalTwinInstanceName` - -The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. - -- Required: Yes -- Type: string - -### Parameter: `primaryConnectionString` - -PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `authenticationType` - -Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified. - -- Required: No -- Type: string -- Default: `'IdentityBased'` -- Allowed: - ```Bicep - [ - 'IdentityBased' - 'KeyBased' - ] - ``` - -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `endpointUri` - -The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net). - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `entityPath` - -The ServiceBus Topic name for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `managedIdentities` - -The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both. - -- Required: No -- Type: object - -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`systemAssigned`](#parameter-managedidentitiessystemassigned) | bool | Enables system assigned managed identity on the resource. | -| [`userAssignedResourceId`](#parameter-managedidentitiesuserassignedresourceid) | string | The resource ID(s) to assign to the resource. | - -### Parameter: `managedIdentities.systemAssigned` - -Enables system assigned managed identity on the resource. - -- Required: No -- Type: bool - -### Parameter: `managedIdentities.userAssignedResourceId` - -The resource ID(s) to assign to the resource. - -- Required: No -- Type: string - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'ServiceBusEndpoint'` - -### Parameter: `secondaryConnectionString` - -SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased". - -- Required: No -- Type: securestring -- Default: `''` - -## Outputs - -| Output | Type | Description | -| :-- | :-- | :-- | -| `name` | string | The name of the Endpoint. | -| `resourceGroupName` | string | The name of the resource group the resource was created in. | -| `resourceId` | string | The resource ID of the Endpoint. | -| `systemAssignedMIPrincipalId` | string | The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API. | diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep b/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep deleted file mode 100644 index a28adf1ab5..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.bicep +++ /dev/null @@ -1,94 +0,0 @@ -metadata name = 'Digital Twins Instance ServiceBus Endpoint' -metadata description = 'This module deploys a Digital Twins Instance ServiceBus Endpoint.' -metadata owner = 'Azure/module-maintainers' - -@description('Optional. The name of the Digital Twin Endpoint.') -param name string = 'ServiceBusEndpoint' - -@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') -param digitalTwinInstanceName string - -@allowed([ - 'IdentityBased' - 'KeyBased' -]) -@description('Optional. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is selected, the endpointUri and entityPath properties must be specified.') -param authenticationType string = 'IdentityBased' - -@description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') -@secure() -param deadLetterSecret string = '' - -@description('Optional. Dead letter storage URL for identity-based authentication.') -param deadLetterUri string = '' - -@description('Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol \'sb://\' (e.g. sb://xyz.servicebus.windows.net).') -param endpointUri string = '' - -@description('Optional. The ServiceBus Topic name for identity-based authentication.') -param entityPath string = '' - -@description('Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is "KeyBased".') -@secure() -param primaryConnectionString string = '' - -@description('Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is "KeyBased".') -@secure() -param secondaryConnectionString string = '' - -@description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') -param managedIdentities managedIdentitiesType - -var identity = !empty(managedIdentities) - ? { - type: (managedIdentities.?systemAssigned ?? false) - ? 'SystemAssigned' - : (!empty(managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) - userAssignedIdentity: managedIdentities.?userAssignedResourceId - } - : null - -resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { - name: digitalTwinInstanceName -} - -resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { - name: name - parent: digitalTwinsInstance - properties: { - endpointType: 'ServiceBus' - authenticationType: authenticationType - deadLetterSecret: deadLetterSecret - deadLetterUri: deadLetterUri - endpointUri: endpointUri - entityPath: entityPath - primaryConnectionString: primaryConnectionString - secondaryConnectionString: secondaryConnectionString - identity: identity - } -} - -@description('The resource ID of the Endpoint.') -output resourceId string = endpoint.id - -@description('The name of the resource group the resource was created in.') -output resourceGroupName string = resourceGroup().name - -@description('The name of the Endpoint.') -output name string = endpoint.name - -@description('The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API.') -#disable-next-line BCP187 -output systemAssignedMIPrincipalId string = endpoint.?identity.?principalId ?? '' - -// =============== // -// Definitions // -// =============== // - -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceId: string? -}? diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.json b/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.json deleted file mode 100644 index 6abe3328fe..0000000000 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--service-bus/main.json +++ /dev/null @@ -1,168 +0,0 @@ -{ - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "9917080858184002423" - }, - "name": "Digital Twins Instance ServiceBus Endpoint", - "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { - "type": "object", - "properties": { - "systemAssigned": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." - } - }, - "userAssignedResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." - } - } - }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "ServiceBusEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ServiceBus Topic name for identity-based authentication." - } - }, - "primaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "secondaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(parameters('managedIdentities'), 'userAssignedResourceId')), null())]" - }, - "resources": { - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "ServiceBus", - "authenticationType": "[parameters('authenticationType')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "primaryConnectionString": "[parameters('primaryConnectionString')]", - "secondaryConnectionString": "[parameters('secondaryConnectionString')]", - "identity": "[variables('identity')]" - } - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API." - }, - "value": "[coalesce(tryGet(tryGet(reference('endpoint', '2023-01-31', 'full'), 'identity'), 'principalId'), '')]" - } - } -} \ No newline at end of file diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/README.md b/avm/res/digital-twins/digital-twins-instance/endpoint/README.md similarity index 51% rename from avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/README.md rename to avm/res/digital-twins/digital-twins-instance/endpoint/README.md index d4147f7508..85d8f9c1d2 100644 --- a/avm/res/digital-twins/digital-twins-instance/endpoint--event-grid/README.md +++ b/avm/res/digital-twins/digital-twins-instance/endpoint/README.md @@ -1,12 +1,13 @@ -# Digital Twins Instance Event Grid Endpoints `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` +# Digital Twins Instance Endpoint `[Microsoft.DigitalTwins/digitalTwinsInstances/endpoints]` -This module deploys a Digital Twins Instance Event Grid Endpoint. +This module deploys a Digital Twins Instance Endpoint. ## Navigation - [Resource Types](#Resource-Types) - [Parameters](#Parameters) - [Outputs](#Outputs) +- [Cross-referenced modules](#Cross-referenced-modules) ## Resource Types @@ -20,8 +21,8 @@ This module deploys a Digital Twins Instance Event Grid Endpoint. | Parameter | Type | Description | | :-- | :-- | :-- | -| [`eventGridDomainResourceId`](#parameter-eventgriddomainresourceid) | string | The resource ID of the Event Grid to get access keys from. | -| [`topicEndpoint`](#parameter-topicendpoint) | string | EventGrid Topic Endpoint. | +| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | +| [`properties`](#parameter-properties) | object | The properties of the endpoint. | **Conditional parameters** @@ -29,27 +30,19 @@ This module deploys a Digital Twins Instance Event Grid Endpoint. | :-- | :-- | :-- | | [`digitalTwinInstanceName`](#parameter-digitaltwininstancename) | string | The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment. | -**Optional parameters** - -| Parameter | Type | Description | -| :-- | :-- | :-- | -| [`deadLetterSecret`](#parameter-deadlettersecret) | securestring | Dead letter storage secret for key-based authentication. Will be obfuscated during read. | -| [`deadLetterUri`](#parameter-deadletteruri) | string | Dead letter storage URL for identity-based authentication. | -| [`name`](#parameter-name) | string | The name of the Digital Twin Endpoint. | - -### Parameter: `eventGridDomainResourceId` +### Parameter: `name` -The resource ID of the Event Grid to get access keys from. +The name of the Digital Twin Endpoint. - Required: Yes - Type: string -### Parameter: `topicEndpoint` +### Parameter: `properties` -EventGrid Topic Endpoint. +The properties of the endpoint. - Required: Yes -- Type: string +- Type: object ### Parameter: `digitalTwinInstanceName` @@ -58,30 +51,6 @@ The name of the parent Digital Twin Instance resource. Required if the template - Required: Yes - Type: string -### Parameter: `deadLetterSecret` - -Dead letter storage secret for key-based authentication. Will be obfuscated during read. - -- Required: No -- Type: securestring -- Default: `''` - -### Parameter: `deadLetterUri` - -Dead letter storage URL for identity-based authentication. - -- Required: No -- Type: string -- Default: `''` - -### Parameter: `name` - -The name of the Digital Twin Endpoint. - -- Required: No -- Type: string -- Default: `'EventGridEndpoint'` - ## Outputs | Output | Type | Description | @@ -89,3 +58,11 @@ The name of the Digital Twin Endpoint. | `name` | string | The name of the Endpoint. | | `resourceGroupName` | string | The name of the resource group the resource was created in. | | `resourceId` | string | The resource ID of the Endpoint. | + +## Cross-referenced modules + +This section gives you an overview of all local-referenced module files (i.e., other modules that are referenced in this module) and all remote-referenced files (i.e., Bicep modules that are referenced from a Bicep Registry or Template Specs). + +| Reference | Type | +| :-- | :-- | +| `br/public:avm/utl/types/avm-common-types:0.4.1` | Remote reference | diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint/main.bicep b/avm/res/digital-twins/digital-twins-instance/endpoint/main.bicep new file mode 100644 index 0000000000..293a7abbd0 --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/endpoint/main.bicep @@ -0,0 +1,262 @@ +metadata name = 'Digital Twins Instance Endpoint' +metadata description = 'This module deploys a Digital Twins Instance Endpoint.' + +@description('Required. The name of the Digital Twin Endpoint.') +param name string + +@description('Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment.') +param digitalTwinInstanceName string + +@description('Required. The properties of the endpoint.') +param properties propertiesType + +var identity = !empty(properties.?authentication.?managedIdentities) + ? { + type: (properties.?authentication.?managedIdentities.?systemAssigned ?? false) + ? 'SystemAssigned' + : (!empty(properties.?authentication.?managedIdentities.?userAssignedResourceId ?? '') ? 'UserAssigned' : null) + userAssignedIdentity: properties.?authentication.?managedIdentities.?userAssignedResourceId + } + : null + +resource eventGridTopic 'Microsoft.EventGrid/topics@2022-06-15' existing = if (properties.endpointType == 'EventGrid') { + name: last(split(properties.?eventGridTopicResourceId, '/')) + scope: resourceGroup( + split((properties.?eventGridTopicResourceId ?? '//'), '/')[2], + split((properties.?eventGridTopicResourceId ?? '////'), '/')[4] + ) +} + +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2024-01-01' existing = if (properties.endpointType == 'EventHub') { + name: split((properties.authentication.eventHubResourceId ?? '////'), '/')[8] + scope: resourceGroup( + split((properties.authentication.eventHubResourceId ?? '//'), '/')[2], + split((properties.authentication.eventHubResourceId ?? '////'), '/')[4] + ) + + resource eventHub 'eventhubs@2024-01-01' existing = if (properties.endpointType == 'EventHub') { + name: last(split((properties.authentication.eventHubResourceId ?? '/'), '/')) + + resource authorizationRule 'authorizationRules@2024-01-01' existing = if (!empty(properties.authentication.?eventHubAuthorizationRuleName)) { + name: properties.authentication.?eventHubAuthorizationRuleName + } + } +} + +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2024-01-01' existing = if (properties.endpointType == 'ServiceBus') { + name: split(properties.authentication.serviceBusNamespaceTopicResourceId, '/')[8] + scope: resourceGroup( + split((properties.authentication.serviceBusNamespaceTopicResourceId ?? '//'), '/')[2], + split((properties.authentication.serviceBusNamespaceTopicResourceId ?? '////'), '/')[4] + ) + + resource topic 'topics@2024-01-01' existing = if (properties.endpointType == 'ServiceBus') { + name: last(split((properties.authentication.serviceBusNamespaceTopicResourceId ?? '/'), '/')) + + resource authorizationRule 'AuthorizationRules@2024-01-01' existing = if (!empty(properties.authentication.?serviceBusNamespaceTopicAuthorizationRuleName)) { + name: properties.authentication.?serviceBusNamespaceTopicAuthorizationRuleName + } + } +} + +resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023-01-31' existing = { + name: digitalTwinInstanceName +} + +resource endpoint 'Microsoft.DigitalTwins/digitalTwinsInstances/endpoints@2023-01-31' = { + name: name + parent: digitalTwinsInstance + properties: { + endpointType: properties.endpointType + identity: identity + deadLetterSecret: properties.?deadLetterSecret + deadLetterUri: properties.?deadLetterUri + // Event Grid + ...(properties.endpointType == 'EventGrid' + ? { + authenticationType: 'KeyBased' + // Should use the commented code for simplification (allows one less user input), but this introduces a bug where all deployments not using the eventGridTopic resourceId will fail as they cannot resolve the dependency (that they're not using). Asking for the TopicEndpoints is a workaround. + // TopicEndpoint: eventGridTopic.properties.endpoint // Introduces a breaking dependency. Would be value: E.g., https://dep-dtdmax-evgt-01.eastus-1.eventgrid.azure.net/api/events + TopicEndpoint: properties.eventGridTopicEndpoint + accessKey1: eventGridTopic.listkeys().key1 + accessKey2: eventGridTopic.listkeys().key2 + } + : {}) + + // Event Hub + ...(properties.endpointType == 'EventHub' + ? { + authenticationType: properties.authentication.type + ...(properties.authentication.type == 'IdentityBased' + ? { + endpointUri: 'sb://${eventHubNamespace.name}.servicebus.windows.net/' + entityPath: eventHubNamespace::eventHub.name + } + : { + connectionStringPrimaryKey: eventHubNamespace::eventHub::authorizationRule.listKeys().primaryConnectionString + connectionStringSecondaryKey: eventHubNamespace::eventHub::authorizationRule.listKeys().secondaryConnectionString + }) + } + : {}) + + // Service Bus + ...(properties.endpointType == 'ServiceBus' + ? { + authenticationType: properties.authentication.type + ...(properties.authentication.type == 'IdentityBased' + ? { + endpointUri: 'sb://${serviceBusNamespace.name}.servicebus.windows.net/' + entityPath: serviceBusNamespace::topic.name + // Did not help + // endpointUri: 'sb://${split(properties.authentication.serviceBusNamespaceTopicResourceId, '/')[8]}.servicebus.windows.net/' + // entityPath: last(split((properties.authentication.serviceBusNamespaceTopicResourceId ?? '/'), '/')) + } + : { + primaryConnectionString: serviceBusNamespace::topic::authorizationRule.listKeys().primaryConnectionString + secondaryConnectionString: serviceBusNamespace::topic::authorizationRule.listKeys().secondaryConnectionString + }) + } + : {}) + } +} + +@description('The resource ID of the Endpoint.') +output resourceId string = endpoint.id + +@description('The name of the resource group the resource was created in.') +output resourceGroupName string = resourceGroup().name + +@description('The name of the Endpoint.') +output name string = endpoint.name + +@description('The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API.') +output systemAssignedMIPrincipalId string? = endpoint.?identity.?principalId + +// =============== // +// Definitions // +// =============== // + +// NOTE: This managed identity type (either-or) is not available in the AVM-Common-Types module. +@description('The type for the managed identity.') +type managedIdentitiesType = { + @description('Optional. Enables system assigned managed identity on the resource.') + systemAssigned: bool? + + @description('Optional. The resource ID(s) to assign to the resource.') + userAssignedResourceId: string? +} + +@description('The type for the Digital Twin Endpoint.') +@discriminator('endpointType') +@export() +type propertiesType = eventGridPropertiesType | eventHubPropertiesType | serviceBusPropertiesType + +@export() +@description('The type for an event grid endpoint.') +type eventGridPropertiesType = { + @description('Required. The type of endpoint to create.') + endpointType: 'EventGrid' + + @description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') + @secure() + deadLetterSecret: string? + + @description('Optional. Dead letter storage URL for identity-based authentication.') + deadLetterUri: string? + + @description('Required. The resource ID of the Event Grid Topic to get access keys from.') + eventGridTopicResourceId: string + + @description('Required. The endpoint of the Event Grid Topic to get access keys from.') + eventGridTopicEndpoint: string +} + +@export() +@description('The type for an event hub endpoint.') +type eventHubPropertiesType = { + @description('Required. The type of endpoint to create.') + endpointType: 'EventHub' + + @description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') + @secure() + deadLetterSecret: string? + + @description('Optional. Dead letter storage URL for identity-based authentication.') + deadLetterUri: string? + + @description('Required. Specifies the authentication type being used for connecting to the endpoint.') + authentication: eventHubAuthorizationPropertiesType +} + +@discriminator('type') +@export() +type eventHubAuthorizationPropertiesType = + | eventHubIdentityBasedAuthenticationPropertiesType + | eventHubKeyBasedAuthenticationPropertiesType + +type eventHubIdentityBasedAuthenticationPropertiesType = { + @description('Required. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is select, the endpointUri and entityPath properties must be specified.') + type: 'IdentityBased' + + @description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') + managedIdentities: managedIdentitiesType? + + @description('Required. The resource ID of the Event Hub Namespace Event Hub.') + eventHubResourceId: string +} + +type eventHubKeyBasedAuthenticationPropertiesType = { + @description('Required. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is select, the endpointUri and entityPath properties must be specified.') + type: 'KeyBased' + + @description('Required. The resource ID of the Event Hub Namespace Event Hub.') + eventHubResourceId: string + + @description('Required. The name of the Event Hub Namespace Event Hub Authorization Rule.') + eventHubAuthorizationRuleName: string +} + +@export() +@description('The type for a service bus endpoint.') +type serviceBusPropertiesType = { + @description('Required. The type of endpoint to create.') + endpointType: 'ServiceBus' + + @description('Required. Specifies the authentication type being used for connecting to the endpoint.') + authentication: serviceBusNamespaceAuthorizationPropertiesType + + @description('Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read.') + @secure() + deadLetterSecret: string? + + @description('Optional. Dead letter storage URL for identity-based authentication.') + deadLetterUri: string? +} + +@discriminator('type') +@export() +type serviceBusNamespaceAuthorizationPropertiesType = + | serviceBusNamespaceIdentityBasedAuthenticationPropertiesType + | serviceBusNamespaceKeyBasedAuthenticationPropertiesType + +type serviceBusNamespaceIdentityBasedAuthenticationPropertiesType = { + @description('Required. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is select, the endpointUri and entityPath properties must be specified.') + type: 'IdentityBased' + + @description('Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both.') + managedIdentities: managedIdentitiesType? + + @description('Required. The ServiceBus Namespace Topic resource ID.') + serviceBusNamespaceTopicResourceId: string +} + +type serviceBusNamespaceKeyBasedAuthenticationPropertiesType = { + @description('Required. Specifies the authentication type being used for connecting to the endpoint. If \'KeyBased\' is selected, a connection string must be specified (at least the primary connection string). If \'IdentityBased\' is select, the endpointUri and entityPath properties must be specified.') + type: 'KeyBased' + + @description('Required. The ServiceBus Namespace Topic resource ID.') + serviceBusNamespaceTopicResourceId: string + + @description('Required. The ServiceBus Namespace Topic Authorization Rule name.') + serviceBusNamespaceTopicAuthorizationRuleName: string +} diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint/main.json b/avm/res/digital-twins/digital-twins-instance/endpoint/main.json new file mode 100644 index 0000000000..663ec46f9a --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/endpoint/main.json @@ -0,0 +1,440 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.32.4.45862", + "templateHash": "1872253241260109642" + }, + "name": "Digital Twins Instance Endpoint", + "description": "This module deploys a Digital Twins Instance Endpoint." + }, + "definitions": { + "propertiesType": { + "type": "object", + "discriminator": { + "propertyName": "endpointType", + "mapping": { + "EventGrid": { + "$ref": "#/definitions/eventGridPropertiesType" + }, + "EventHub": { + "$ref": "#/definitions/eventHubPropertiesType" + }, + "ServiceBus": { + "$ref": "#/definitions/serviceBusPropertiesType" + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for the Digital Twin Endpoint." + } + }, + "eventGridPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "EventGrid" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "eventGridTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Grid Topic to get access keys from." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for an event grid endpoint." + } + }, + "eventHubPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "EventHub" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "authentication": { + "$ref": "#/definitions/eventHubAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for an event hub endpoint." + } + }, + "eventHubAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/eventHubIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/eventHubKeyBasedAuthenticationPropertiesType" + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "eventHubIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + } + } + }, + "eventHubKeyBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + }, + "eventHubAuthorizationRuleName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Event Hub Namespace Event Hub Authorization Rule." + } + } + } + }, + "serviceBusPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "ServiceBus" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "authentication": { + "$ref": "#/definitions/serviceBusNamespaceAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for a service bus endpoint." + } + }, + "serviceBusNamespaceAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/serviceBusNamespaceIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/serviceBusNamespaceKeyBasedAuthenticationPropertiesType" + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "serviceBusNamespaceIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Topic resource ID." + } + } + } + }, + "serviceBusNamespaceKeyBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceAuthorizationRuleResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Authorization Rule resource ID." + } + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + } + }, + "parameters": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the Digital Twin Endpoint." + } + }, + "digitalTwinInstanceName": { + "type": "string", + "metadata": { + "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." + } + }, + "properties": { + "$ref": "#/definitions/propertiesType", + "metadata": { + "description": "Required. The properties of the endpoint." + } + } + }, + "variables": { + "identity": "[if(not(empty(tryGet(parameters('properties'), 'managedIdentities'))), createObject('type', if(coalesce(tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'userAssignedResourceId')), null())]" + }, + "resources": { + "eventHubNamespace::eventHub::authorizationRule": { + "condition": "[and(and(equals(parameters('properties').endpointType, 'EventHub'), equals(parameters('properties').endpointType, 'EventHub')), not(empty(tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName'))))]", + "existing": true, + "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[format('{0}/{1}/{2}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName'))]" + }, + "eventHubNamespace::eventHub": { + "condition": "[and(equals(parameters('properties').endpointType, 'EventHub'), equals(parameters('properties').endpointType, 'EventHub'))]", + "existing": true, + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[format('{0}/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')))]" + }, + "serviceBusNamespace::topic": { + "condition": "[and(equals(parameters('properties').endpointType, 'ServiceBus'), not(empty(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'))))]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces/topics", + "apiVersion": "2024-01-01", + "name": "[format('{0}/{1}', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')))]" + }, + "serviceBusNamespace::authorizationRule": { + "condition": "[and(equals(parameters('properties').endpointType, 'ServiceBus'), not(empty(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'))))]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", + "apiVersion": "2024-01-01", + "name": "[format('{0}/{1}', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')))]" + }, + "eventGridTopic": { + "condition": "[equals(parameters('properties').endpointType, 'EventGrid')]", + "existing": true, + "type": "Microsoft.EventGrid/topics", + "apiVersion": "2022-06-15", + "subscriptionId": "[split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]]", + "name": "[last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))]" + }, + "eventHubNamespace": { + "condition": "[equals(parameters('properties').endpointType, 'EventHub')]", + "existing": true, + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8]]" + }, + "serviceBusNamespace": { + "condition": "[equals(parameters('properties').endpointType, 'ServiceBus')]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2024-01-01", + "name": "[if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8])]" + }, + "digitalTwinsInstance": { + "existing": true, + "type": "Microsoft.DigitalTwins/digitalTwinsInstances", + "apiVersion": "2023-01-31", + "name": "[parameters('digitalTwinInstanceName')]" + }, + "endpoint": { + "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", + "apiVersion": "2023-01-31", + "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", + "properties": "[shallowMerge(createArray(createObject('endpointType', parameters('properties').endpointType, 'identity', variables('identity'), 'deadLetterSecret', tryGet(parameters('properties'), 'deadLetterSecret'), 'deadLetterUri', tryGet(parameters('properties'), 'deadLetterUri')), if(equals(parameters('properties').endpointType, 'EventGrid'), createObject('authenticationType', 'KeyBased', 'TopicEndpoint', tryGet(tryGet(reference('eventGridTopic', '2022-06-15', 'full'), 'properties'), 'endpoint'), 'accessKey1', listkeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]), 'Microsoft.EventGrid/topics', last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))), '2022-06-15').key1, 'accessKey2', listkeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]), 'Microsoft.EventGrid/topics', last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))), '2022-06-15').key2), createObject()), if(equals(parameters('properties').endpointType, 'EventHub'), shallowMerge(createArray(createObject('authenticationType', parameters('properties').authenticationType), if(equals(parameters('properties').authentication.type, 'IdentityBased'), createObject('endpointUri', format('sb://{0}.servicebus.windows.net/', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8]), 'entityPath', last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/'))), createObject('connectionStringPrimaryKey', listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2], split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]), 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName')), '2024-01-01').primaryConnectionString, 'connectionStringSecondaryKey', listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2], split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]), 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName')), '2024-01-01').secondaryConnectionString)))), createObject()), if(equals(parameters('properties').endpointType, 'ServiceBus'), shallowMerge(createArray(createObject('authenticationType', parameters('properties').authentication.type), if(equals(parameters('properties').authentication.type, 'IdentityBased'), createObject('endpointUri', format('sb://{0}.servicebus.windows.net/', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8])), 'entityPath', last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/'))), createObject('primaryConnectionString', listKeys(resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/'))), '2024-01-01').primaryConnectionString, 'secondaryConnectionString', listKeys(resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/'))), '2024-01-01').secondaryConnectionString)))), createObject())))]", + "dependsOn": [ + "eventGridTopic" + ] + } + }, + "outputs": { + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the Endpoint." + }, + "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" + }, + "resourceGroupName": { + "type": "string", + "metadata": { + "description": "The name of the resource group the resource was created in." + }, + "value": "[resourceGroup().name]" + }, + "name": { + "type": "string", + "metadata": { + "description": "The name of the Endpoint." + }, + "value": "[parameters('name')]" + } + } +} \ No newline at end of file diff --git a/avm/res/digital-twins/digital-twins-instance/endpoint/temp.bicep b/avm/res/digital-twins/digital-twins-instance/endpoint/temp.bicep new file mode 100644 index 0000000000..c86bde2386 --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/endpoint/temp.bicep @@ -0,0 +1,14 @@ +param authenticationType string +param endpointUri string? +param entityPath string? +@secure() +param primaryConnectionString string? + +@secure() +param secondaryConnectionString string? + +output authenticationTypeOutput string = authenticationType +output endpointUriOutput string? = endpointUri +output entityPathOutput string? = entityPath +output primaryConnectionStringOutput string? = primaryConnectionString +output secondaryConnectionStringOutput string? = secondaryConnectionString diff --git a/avm/res/digital-twins/digital-twins-instance/main.bicep b/avm/res/digital-twins/digital-twins-instance/main.bicep index 6ebafb65f6..49f3a78468 100644 --- a/avm/res/digital-twins/digital-twins-instance/main.bicep +++ b/avm/res/digital-twins/digital-twins-instance/main.bicep @@ -13,23 +13,20 @@ param location string = resourceGroup().location @description('Optional. Resource tags.') param tags object? +import { lockType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @description('Optional. The lock settings of the service.') -param lock lockType +param lock lockType? +import { managedIdentityAllType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @description('Optional. The managed identity definition for this resource.') -param managedIdentities managedIdentitiesType +param managedIdentities managedIdentityAllType? -@description('Optional. Event Hub Endpoint.') -param eventHubEndpoints array? - -@description('Optional. Event Grid Endpoint.') -param eventGridEndpoints array? - -@description('Optional. Service Bus Endpoint.') -param serviceBusEndpoints array? +@description('Optional. The endpoints of the service.') +param endpoints endpointType[]? +import { privateEndpointSingleServiceType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.') -param privateEndpoints privateEndpointType +param privateEndpoints privateEndpointSingleServiceType[]? @description('Optional. Whether or not public network access is allowed for this resource. For security reasons it should be disabled. If not specified, it will be disabled by default if private endpoints are set.') @allowed([ @@ -39,14 +36,16 @@ param privateEndpoints privateEndpointType ]) param publicNetworkAccess string = '' +import { diagnosticSettingFullType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @description('Optional. The diagnostic settings of the service.') -param diagnosticSettings diagnosticSettingType +param diagnosticSettings diagnosticSettingFullType[]? @description('Optional. Enable/Disable usage telemetry for module.') param enableTelemetry bool = true +import { roleAssignmentType } from 'br/public:avm/utl/types/avm-common-types:0.4.1' @description('Optional. Array of role assignment objects that contain the \'roleDefinitionIdOrName\' and \'principalIds\' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') -param roleAssignments roleAssignmentType +param roleAssignments roleAssignmentType[]? var formattedUserAssignedIdentities = reduce( map((managedIdentities.?userAssignedResourceIds ?? []), (id) => { '${id}': {} }), @@ -85,6 +84,17 @@ var builtInRoleNames = { ) } +var formattedRoleAssignments = [ + for (roleAssignment, index) in (roleAssignments ?? []): union(roleAssignment, { + roleDefinitionId: builtInRoleNames[?roleAssignment.roleDefinitionIdOrName] ?? (contains( + roleAssignment.roleDefinitionIdOrName, + '/providers/Microsoft.Authorization/roleDefinitions/' + ) + ? roleAssignment.roleDefinitionIdOrName + : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName)) + }) +] + #disable-next-line no-deployments-resources resource avmTelemetry 'Microsoft.Resources/deployments@2024-03-01' = if (enableTelemetry) { name: '46d3xbcp.res.digitaltwins-digitaltwinsinstance.${replace('-..--..-', '.', '-')}.${substring(uniqueString(deployment().name, location), 0, 4)}' @@ -116,71 +126,18 @@ resource digitalTwinsInstance 'Microsoft.DigitalTwins/digitalTwinsInstances@2023 } } -module digitalTwinsInstance_eventHubEndpoints 'endpoint--event-hub/main.bicep' = [ - for (eventHubEndpoint, index) in (eventHubEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-EventHub-${index}' - params: { - digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(eventHubEndpoint, 'name') ? eventHubEndpoint.name : 'EventHubEndpoint' - authenticationType: contains(eventHubEndpoint, 'authenticationType') - ? eventHubEndpoint.authenticationType - : 'KeyBased' - connectionStringPrimaryKey: contains(eventHubEndpoint, 'connectionStringPrimaryKey') - ? eventHubEndpoint.connectionStringPrimaryKey - : '' - connectionStringSecondaryKey: contains(eventHubEndpoint, 'connectionStringSecondaryKey') - ? eventHubEndpoint.connectionStringSecondaryKey - : '' - deadLetterSecret: contains(eventHubEndpoint, 'deadLetterSecret') ? eventHubEndpoint.deadLetterSecret : '' - deadLetterUri: contains(eventHubEndpoint, 'deadLetterUri') ? eventHubEndpoint.deadLetterUri : '' - endpointUri: contains(eventHubEndpoint, 'endpointUri') ? eventHubEndpoint.endpointUri : '' - entityPath: contains(eventHubEndpoint, 'entityPath') ? eventHubEndpoint.entityPath : '' - managedIdentities: contains(eventHubEndpoint, 'managedIdentities') ? eventHubEndpoint.managedIdentities : {} - } - } -] - -module digitalTwinsInstance_eventGridEndpoints 'endpoint--event-grid/main.bicep' = [ - for (eventGridEndpoint, index) in (eventGridEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-EventGrid-${index}' - params: { - digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(eventGridEndpoint, 'name') ? eventGridEndpoint.name : 'EventGridEndpoint' - topicEndpoint: contains(eventGridEndpoint, 'topicEndpoint') ? eventGridEndpoint.topicEndpoint : '' - deadLetterSecret: contains(eventGridEndpoint, 'deadLetterSecret') ? eventGridEndpoint.deadLetterSecret : '' - deadLetterUri: contains(eventGridEndpoint, 'deadLetterUri') ? eventGridEndpoint.deadLetterUri : '' - eventGridDomainResourceId: contains(eventGridEndpoint, 'eventGridDomainId') - ? eventGridEndpoint.eventGridDomainId - : '' - } - } -] - -module digitalTwinsInstance_serviceBusEndpoints 'endpoint--service-bus/main.bicep' = [ - for (serviceBusEndpoint, index) in (serviceBusEndpoints ?? []): { - name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-ServiceBus-${index}' +module digitalTwinsInstance_endpoints 'endpoint/main.bicep' = [ + for (endpoint, index) in (endpoints ?? []): { + name: '${uniqueString(deployment().name, location)}-DigitalTwinsInstance-Endpoints-${index}' params: { digitalTwinInstanceName: digitalTwinsInstance.name - name: contains(serviceBusEndpoint, 'name') ? serviceBusEndpoint.name : 'ServiceBusEndpoint' - authenticationType: contains(serviceBusEndpoint, 'authenticationType') - ? serviceBusEndpoint.authenticationType - : '' - deadLetterSecret: contains(serviceBusEndpoint, 'deadLetterSecret') ? serviceBusEndpoint.deadLetterSecret : '' - deadLetterUri: contains(serviceBusEndpoint, 'deadLetterUri') ? serviceBusEndpoint.deadLetterUri : '' - endpointUri: contains(serviceBusEndpoint, 'endpointUri') ? serviceBusEndpoint.endpointUri : '' - entityPath: contains(serviceBusEndpoint, 'entityPath') ? serviceBusEndpoint.entityPath : '' - primaryConnectionString: contains(serviceBusEndpoint, 'primaryConnectionString') - ? serviceBusEndpoint.primaryConnectionString - : '' - secondaryConnectionString: contains(serviceBusEndpoint, 'secondaryConnectionString') - ? serviceBusEndpoint.secondaryConnectionString - : '' - managedIdentities: contains(serviceBusEndpoint, 'managedIdentities') ? serviceBusEndpoint.managedIdentities : {} + name: endpoint.?name ?? '${endpoint.properties.endpointType}Endpoint' + properties: endpoint.properties } } ] -module digitalTwinsInstance_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.4.1' = [ +module digitalTwinsInstance_privateEndpoints 'br/public:avm/res/network/private-endpoint:0.9.0' = [ for (privateEndpoint, index) in (privateEndpoints ?? []): { name: '${uniqueString(deployment().name, location)}-digitalTwinsInstance-PrivateEndpoint-${index}' scope: resourceGroup(privateEndpoint.?resourceGroupName ?? '') @@ -221,8 +178,7 @@ module digitalTwinsInstance_privateEndpoints 'br/public:avm/res/network/private- 'Full' ).location lock: privateEndpoint.?lock ?? lock - privateDnsZoneGroupName: privateEndpoint.?privateDnsZoneGroupName - privateDnsZoneResourceIds: privateEndpoint.?privateDnsZoneResourceIds + privateDnsZoneGroup: privateEndpoint.?privateDnsZoneGroup roleAssignments: privateEndpoint.?roleAssignments tags: privateEndpoint.?tags ?? tags customDnsConfigs: privateEndpoint.?customDnsConfigs @@ -274,14 +230,14 @@ resource digitalTwinsInstance_diagnosticSettings 'Microsoft.Insights/diagnosticS ] resource digitalTwinsInstance_roleAssignments 'Microsoft.Authorization/roleAssignments@2022-04-01' = [ - for (roleAssignment, index) in (roleAssignments ?? []): { - name: guid(digitalTwinsInstance.id, roleAssignment.principalId, roleAssignment.roleDefinitionIdOrName) + for (roleAssignment, index) in (formattedRoleAssignments ?? []): { + name: roleAssignment.?name ?? guid( + digitalTwinsInstance.id, + roleAssignment.principalId, + roleAssignment.roleDefinitionId + ) properties: { - roleDefinitionId: contains(builtInRoleNames, roleAssignment.roleDefinitionIdOrName) - ? builtInRoleNames[roleAssignment.roleDefinitionIdOrName] - : contains(roleAssignment.roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/') - ? roleAssignment.roleDefinitionIdOrName - : subscriptionResourceId('Microsoft.Authorization/roleDefinitions', roleAssignment.roleDefinitionIdOrName) + roleDefinitionId: roleAssignment.roleDefinitionId principalId: roleAssignment.principalId description: roleAssignment.?description principalType: roleAssignment.?principalType @@ -309,169 +265,53 @@ output hostname string = digitalTwinsInstance.properties.hostName output location string = digitalTwinsInstance.location @description('The principal ID of the system assigned identity.') -output systemAssignedMIPrincipalId string = digitalTwinsInstance.?identity.?principalId ?? '' +output systemAssignedMIPrincipalId string? = digitalTwinsInstance.?identity.?principalId + +@description('The private endpoints of the key vault.') +output privateEndpoints privateEndpointOutputType[] = [ + for (item, index) in (privateEndpoints ?? []): { + name: digitalTwinsInstance_privateEndpoints[index].outputs.name + resourceId: digitalTwinsInstance_privateEndpoints[index].outputs.resourceId + groupId: digitalTwinsInstance_privateEndpoints[index].outputs.groupId + customDnsConfigs: digitalTwinsInstance_privateEndpoints[index].outputs.customDnsConfig + networkInterfaceResourceIds: digitalTwinsInstance_privateEndpoints[index].outputs.networkInterfaceResourceIds + } +] // =============== // // Definitions // // =============== // +@export() +type privateEndpointOutputType = { + @description('The name of the private endpoint.') + name: string -type managedIdentitiesType = { - @description('Optional. Enables system assigned managed identity on the resource.') - systemAssigned: bool? - - @description('Optional. The resource ID(s) to assign to the resource.') - userAssignedResourceIds: string[]? -}? - -type lockType = { - @description('Optional. Specify the name of lock.') - name: string? - - @description('Optional. Specify the type of lock.') - kind: ('CanNotDelete' | 'ReadOnly' | 'None')? -}? - -type roleAssignmentType = { - @description('Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: \'/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11\'.') - roleDefinitionIdOrName: string - - @description('Required. The principal ID of the principal (user/group/identity) to assign the role to.') - principalId: string - - @description('Optional. The principal type of the assigned principal ID.') - principalType: ('ServicePrincipal' | 'Group' | 'User' | 'ForeignGroup' | 'Device')? - - @description('Optional. The description of the role assignment.') - description: string? - - @description('Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase "foo_storage_container".') - condition: string? - - @description('Optional. Version of the condition.') - conditionVersion: '2.0'? - - @description('Optional. The Resource Id of the delegated managed identity resource.') - delegatedManagedIdentityResourceId: string? -}[]? - -type privateEndpointType = { - @description('Optional. The name of the private endpoint.') - name: string? - - @description('Optional. The location to deploy the private endpoint to.') - location: string? - - @description('Optional. The name of the private link connection to create.') - privateLinkServiceConnectionName: string? - - @description('Optional. The subresource to deploy the private endpoint for. For example "vault", "mysqlServer" or "dataFactory".') - service: string? - - @description('Required. Resource ID of the subnet where the endpoint needs to be created.') - subnetResourceId: string + @description('The resource ID of the private endpoint.') + resourceId: string - @description('Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided.') - privateDnsZoneGroupName: string? + @description('The group Id for the private endpoint Group.') + groupId: string? - @description('Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones.') - privateDnsZoneResourceIds: string[]? - - @description('Optional. If Manual Private Link Connection is required.') - isManualConnection: bool? - - @description('Optional. A message passed to the owner of the remote resource with the manual connection request.') - @maxLength(140) - manualConnectionRequestMessage: string? - - @description('Optional. Custom DNS configurations.') + @description('The custom DNS configurations of the private endpoint.') customDnsConfigs: { - @description('Optional. FQDN that resolves to private endpoint IP address.') + @description('FQDN that resolves to private endpoint IP address.') fqdn: string? - @description('Required. A list of private IP addresses of the private endpoint.') + @description('A list of private IP addresses of the private endpoint.') ipAddresses: string[] - }[]? - - @description('Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints.') - ipConfigurations: { - @description('Required. The name of the resource that is unique within a resource group.') - name: string - - @description('Required. Properties of private endpoint IP configurations.') - properties: { - @description('Required. The ID of a group obtained from the remote resource that this private endpoint should connect to.') - groupId: string - - @description('Required. The member name of a group obtained from the remote resource that this private endpoint should connect to.') - memberName: string - - @description('Required. A private IP address obtained from the private endpoint\'s subnet.') - privateIPAddress: string - } - }[]? - - @description('Optional. Application security groups in which the private endpoint IP configuration is included.') - applicationSecurityGroupResourceIds: string[]? - - @description('Optional. The custom name of the network interface attached to the private endpoint.') - customNetworkInterfaceName: string? - - @description('Optional. Specify the type of lock.') - lock: lockType + }[] - @description('Optional. Array of role assignments to create.') - roleAssignments: roleAssignmentType - - @description('Optional. Tags to be applied on all resources/resource groups in this deployment.') - tags: object? - - @description('Optional. Enable/Disable usage telemetry for module.') - enableTelemetry: bool? - - @description('Optional. Specify if you want to deploy the Privte Endpoint into a different resource group than the main resource.') - resourceGroupName: string? -}[]? + @description('The IDs of the network interfaces associated with the private endpoint.') + networkInterfaceResourceIds: string[] +} -type diagnosticSettingType = { - @description('Optional. The name of diagnostic setting.') +import { propertiesType } from 'endpoint/main.bicep' +@export() +@description('The type for a Digital Twin Endpoint.') +type endpointType = { + @description('Optional. The name of the Digital Twin Endpoint.') name: string? - @description('Optional. The name of logs that will be streamed. "allLogs" includes all possible logs for the resource. Set to `[]` to disable log collection.') - logCategoriesAndGroups: { - @description('Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here.') - category: string? - - @description('Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs.') - categoryGroup: string? - - @description('Optional. Enable or disable the category explicitly. Default is `true`.') - enabled: bool? - }[]? - - @description('Optional. The name of metrics that will be streamed. "allMetrics" includes all possible metrics for the resource. Set to `[]` to disable metric collection.') - metricCategories: { - @description('Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics.') - category: string - - @description('Optional. Enable or disable the category explicitly. Default is `true`.') - enabled: bool? - }[]? - - @description('Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type.') - logAnalyticsDestinationType: ('Dedicated' | 'AzureDiagnostics')? - - @description('Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - workspaceResourceId: string? - - @description('Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - storageAccountResourceId: string? - - @description('Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to.') - eventHubAuthorizationRuleResourceId: string? - - @description('Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub.') - eventHubName: string? - - @description('Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs.') - marketplacePartnerResourceId: string? -}[]? + @description('Required. The properties of the endpoint.') + properties: propertiesType +} diff --git a/avm/res/digital-twins/digital-twins-instance/main.json b/avm/res/digital-twins/digital-twins-instance/main.json index 0b234bd50d..cb1236cccf 100644 --- a/avm/res/digital-twins/digital-twins-instance/main.json +++ b/avm/res/digital-twins/digital-twins-instance/main.json @@ -6,443 +6,911 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "16243868201799712200" + "templateHash": "4854991310442346942" }, "name": "Digital Twins Instances", "description": "This module deploys an Azure Digital Twins Instance.", "owner": "Azure/module-maintainers" }, "definitions": { - "managedIdentitiesType": { + "privateEndpointOutputType": { "type": "object", "properties": { - "systemAssigned": { - "type": "bool", + "name": { + "type": "string", + "metadata": { + "description": "The name of the private endpoint." + } + }, + "resourceId": { + "type": "string", + "metadata": { + "description": "The resource ID of the private endpoint." + } + }, + "groupId": { + "type": "string", "nullable": true, "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." + "description": "The group Id for the private endpoint Group." } }, - "userAssignedResourceIds": { + "customDnsConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "FQDN that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "A list of private IP addresses of the private endpoint." + } + } + } + }, + "metadata": { + "description": "The custom DNS configurations of the private endpoint." + } + }, + "networkInterfaceResourceIds": { "type": "array", "items": { "type": "string" }, - "nullable": true, "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." + "description": "The IDs of the network interfaces associated with the private endpoint." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, - "lockType": { + "endpointType": { "type": "object", "properties": { "name": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. Specify the name of lock." + "description": "Optional. The name of the Digital Twin Endpoint." } }, - "kind": { - "type": "string", - "allowedValues": [ - "CanNotDelete", - "None", - "ReadOnly" - ], - "nullable": true, + "properties": { + "$ref": "#/definitions/propertiesType", "metadata": { - "description": "Optional. Specify the type of lock." + "description": "Required. The properties of the endpoint." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true, + "description": "The type for a Digital Twin Endpoint." + } }, - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } - }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." - } - }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." - } - }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." - } - }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } + "_1.privateEndpointCustomDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. FQDN that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." } } }, - "nullable": true + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } }, - "privateEndpointType": { - "type": "array", - "items": { - "type": "object", + "_1.privateEndpointIpConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private endpoint." - } - }, - "location": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The location to deploy the private endpoint to." - } - }, - "privateLinkServiceConnectionName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private link connection to create." - } - }, - "service": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The subresource to deploy the private endpoint for. For example \"vault\", \"mysqlServer\" or \"dataFactory\"." - } - }, - "subnetResourceId": { - "type": "string", - "metadata": { - "description": "Required. Resource ID of the subnet where the endpoint needs to be created." - } - }, - "privateDnsZoneGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." - } - }, - "privateDnsZoneResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint with. A DNS zone group can support up to 5 DNS zones." - } - }, - "isManualConnection": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. If Manual Private Link Connection is required." - } - }, - "manualConnectionRequestMessage": { - "type": "string", - "nullable": true, - "maxLength": 140, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." - } - }, - "customDnsConfigs": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. FQDN that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } - } + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." } }, - "nullable": true, - "metadata": { - "description": "Optional. Custom DNS configurations." - } - }, - "ipConfigurations": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." } }, - "nullable": true, - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "applicationSecurityGroupResourceIds": { - "type": "array", - "items": { - "type": "string" - }, - "nullable": true, - "metadata": { - "description": "Optional. Application security groups in which the private endpoint IP configuration is included." - } - }, - "customNetworkInterfaceName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The custom name of the network interface attached to the private endpoint." - } - }, - "lock": { - "$ref": "#/definitions/lockType", - "metadata": { - "description": "Optional. Specify the type of lock." - } - }, - "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", - "metadata": { - "description": "Optional. Array of role assignments to create." - } - }, - "tags": { - "type": "object", - "nullable": true, - "metadata": { - "description": "Optional. Tags to be applied on all resources/resource groups in this deployment." - } - }, - "enableTelemetry": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable/Disable usage telemetry for module." + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } } }, - "resourceGroupName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Specify if you want to deploy the Privte Endpoint into a different resource group than the main resource." - } + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." } } }, - "nullable": true + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } }, - "diagnosticSettingType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The name of diagnostic setting." - } - }, - "logCategoriesAndGroups": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." - } - }, - "categoryGroup": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } + "_1.privateEndpointPrivateDnsZoneGroupType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private DNS Zone Group." + } + }, + "privateDnsZoneGroupConfigs": { + "type": "array", + "items": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS Zone Group config." } - } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." - } - }, - "metricCategories": { - "type": "array", - "items": { - "type": "object", - "properties": { - "category": { - "type": "string", - "metadata": { - "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." - } - }, - "enabled": { - "type": "bool", - "nullable": true, - "metadata": { - "description": "Optional. Enable or disable the category explicitly. Default is `true`." - } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." } } - }, - "nullable": true, - "metadata": { - "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." - } - }, - "logAnalyticsDestinationType": { - "type": "string", - "allowedValues": [ - "AzureDiagnostics", - "Dedicated" - ], - "nullable": true, - "metadata": { - "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." - } - }, - "workspaceResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." } }, - "storageAccountResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "eventHubAuthorizationRuleResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." - } - }, - "eventHubName": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." - } - }, - "marketplacePartnerResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." - } + "metadata": { + "description": "Required. The private DNS Zone Groups to associate the Private Endpoint. A DNS Zone Group can support up to 5 DNS zones." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "_2.eventGridPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "EventGrid" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "eventGridTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Grid Topic to get access keys from." + } + } + }, + "metadata": { + "description": "The type for an event grid endpoint.", + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.eventHubAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/_2.eventHubIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/_2.eventHubKeyBasedAuthenticationPropertiesType" + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.eventHubIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.eventHubKeyBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + }, + "eventHubAuthorizationRuleName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Event Hub Namespace Event Hub Authorization Rule." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.eventHubPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "EventHub" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "authentication": { + "$ref": "#/definitions/_2.eventHubAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + } + }, + "metadata": { + "description": "The type for an event hub endpoint.", + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.serviceBusNamespaceAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/_2.serviceBusNamespaceIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/_2.serviceBusNamespaceKeyBasedAuthenticationPropertiesType" + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.serviceBusNamespaceIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Topic resource ID." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.serviceBusNamespaceKeyBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceAuthorizationRuleResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Authorization Rule resource ID." + } + } + }, + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "_2.serviceBusPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "ServiceBus" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "authentication": { + "$ref": "#/definitions/_2.serviceBusNamespaceAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + } + }, + "metadata": { + "description": "The type for a service bus endpoint.", + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "diagnosticSettingFullType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the diagnostic setting." + } + }, + "logCategoriesAndGroups": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category for a resource type this setting is applied to. Set the specific logs to collect here." + } + }, + "categoryGroup": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of a Diagnostic Log category group for a resource type this setting is applied to. Set to `allLogs` to collect all logs." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of logs that will be streamed. \"allLogs\" includes all possible logs for the resource. Set to `[]` to disable log collection." + } + }, + "metricCategories": { + "type": "array", + "items": { + "type": "object", + "properties": { + "category": { + "type": "string", + "metadata": { + "description": "Required. Name of a Diagnostic Metric category for a resource type this setting is applied to. Set to `AllMetrics` to collect all metrics." + } + }, + "enabled": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable or disable the category explicitly. Default is `true`." + } + } + } + }, + "nullable": true, + "metadata": { + "description": "Optional. The name of metrics that will be streamed. \"allMetrics\" includes all possible metrics for the resource. Set to `[]` to disable metric collection." + } + }, + "logAnalyticsDestinationType": { + "type": "string", + "allowedValues": [ + "AzureDiagnostics", + "Dedicated" + ], + "nullable": true, + "metadata": { + "description": "Optional. A string indicating whether the export to Log Analytics should use the default destination type, i.e. AzureDiagnostics, or use a destination type." + } + }, + "workspaceResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic log analytics workspace. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "storageAccountResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic storage account. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "eventHubAuthorizationRuleResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Resource ID of the diagnostic event hub authorization rule for the Event Hubs namespace in which the event hub should be created or streamed to." + } + }, + "eventHubName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Name of the diagnostic event hub within the namespace to which logs are streamed. Without this, an event hub is created for each log category. For security reasons, it is recommended to set diagnostic settings to send data to either storage account, log analytics workspace or event hub." + } + }, + "marketplacePartnerResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The full ARM resource ID of the Marketplace resource to which you would like to send Diagnostic Logs." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a diagnostic setting. To be used if both logs & metrics are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "lockType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify the name of lock." + } + }, + "kind": { + "type": "string", + "allowedValues": [ + "CanNotDelete", + "None", + "ReadOnly" + ], + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "managedIdentityAllType": { + "type": "object", + "properties": { + "systemAssigned": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enables system assigned managed identity on the resource." + } + }, + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "privateEndpointSingleServiceType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private Endpoint." + } + }, + "location": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The location to deploy the Private Endpoint to." + } + }, + "privateLinkServiceConnectionName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private link connection to create." + } + }, + "service": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The subresource to deploy the Private Endpoint for. For example \"vault\" for a Key Vault Private Endpoint." + } + }, + "subnetResourceId": { + "type": "string", + "metadata": { + "description": "Required. Resource ID of the subnet where the endpoint needs to be created." + } + }, + "privateDnsZoneGroup": { + "$ref": "#/definitions/_1.privateEndpointPrivateDnsZoneGroupType", + "nullable": true, + "metadata": { + "description": "Optional. The private DNS Zone Group to configure for the Private Endpoint." + } + }, + "isManualConnection": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. If Manual Private Link Connection is required." + } + }, + "manualConnectionRequestMessage": { + "type": "string", + "nullable": true, + "maxLength": 140, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with the manual connection request." + } + }, + "customDnsConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/_1.privateEndpointCustomDnsConfigType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Custom DNS configurations." + } + }, + "ipConfigurations": { + "type": "array", + "items": { + "$ref": "#/definitions/_1.privateEndpointIpConfigurationType" + }, + "nullable": true, + "metadata": { + "description": "Optional. A list of IP configurations of the Private Endpoint. This will be used to map to the first-party Service endpoints." + } + }, + "applicationSecurityGroupResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "nullable": true, + "metadata": { + "description": "Optional. Application security groups in which the Private Endpoint IP configuration is included." + } + }, + "customNetworkInterfaceName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The custom name of the network interface attached to the Private Endpoint." + } + }, + "lock": { + "$ref": "#/definitions/lockType", + "nullable": true, + "metadata": { + "description": "Optional. Specify the type of lock." + } + }, + "roleAssignments": { + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, + "metadata": { + "description": "Optional. Array of role assignments to create." + } + }, + "tags": { + "type": "object", + "nullable": true, + "metadata": { + "description": "Optional. Tags to be applied on all resources/Resource Groups in this deployment." + } + }, + "enableTelemetry": { + "type": "bool", + "nullable": true, + "metadata": { + "description": "Optional. Enable/Disable usage telemetry for module." + } + }, + "resourceGroupName": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Specify if you want to deploy the Private Endpoint into a different Resource Group than the main resource." + } + } + }, + "metadata": { + "description": "An AVM-aligned type for a private endpoint. To be used if the private endpoint's default service / groupId can be assumed (i.e., for services that only have one Private Endpoint type like 'vault' for key vault).", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } + }, + "propertiesType": { + "type": "object", + "discriminator": { + "propertyName": "endpointType", + "mapping": { + "EventGrid": { + "$ref": "#/definitions/_2.eventGridPropertiesType" + }, + "EventHub": { + "$ref": "#/definitions/_2.eventHubPropertiesType" + }, + "ServiceBus": { + "$ref": "#/definitions/_2.serviceBusPropertiesType" + } + } + }, + "metadata": { + "description": "The type for the Digital Twin Endpoint.", + "__bicep_imported_from!": { + "sourceTemplate": "endpoint/main.bicep" + } + } + }, + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } } }, "parameters": { @@ -470,39 +938,34 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } }, "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource." - } - }, - "eventHubEndpoints": { - "type": "array", + "$ref": "#/definitions/managedIdentityAllType", "nullable": true, "metadata": { - "description": "Optional. Event Hub Endpoint." + "description": "Optional. The managed identity definition for this resource." } }, - "eventGridEndpoints": { + "endpoints": { "type": "array", + "items": { + "$ref": "#/definitions/endpointType" + }, "nullable": true, "metadata": { - "description": "Optional. Event Grid Endpoint." + "description": "Optional. The endpoints of the service." } }, - "serviceBusEndpoints": { + "privateEndpoints": { "type": "array", + "items": { + "$ref": "#/definitions/privateEndpointSingleServiceType" + }, "nullable": true, - "metadata": { - "description": "Optional. Service Bus Endpoint." - } - }, - "privateEndpoints": { - "$ref": "#/definitions/privateEndpointType", "metadata": { "description": "Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible." } @@ -520,7 +983,11 @@ } }, "diagnosticSettings": { - "$ref": "#/definitions/diagnosticSettingType", + "type": "array", + "items": { + "$ref": "#/definitions/diagnosticSettingFullType" + }, + "nullable": true, "metadata": { "description": "Optional. The diagnostic settings of the service." } @@ -533,13 +1000,24 @@ } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignment objects that contain the 'roleDefinitionIdOrName' and 'principalIds' to define RBAC role assignments on this resource. In the roleDefinitionIdOrName attribute, you can provide either the display name of the role definition, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." } } }, "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], "formattedUserAssignedIdentities": "[reduce(map(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createArray()), lambda('id', createObject(format('{0}', lambdaVariables('id')), createObject()))), createObject(), lambda('cur', 'next', union(lambdaVariables('cur'), lambdaVariables('next'))))]", "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'SystemAssigned,UserAssigned', 'SystemAssigned'), if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceIds'), createObject()))), 'UserAssigned', 'None')), 'userAssignedIdentities', if(not(empty(variables('formattedUserAssignedIdentities'))), variables('formattedUserAssignedIdentities'), null())), null())]", "builtInRoleNames": { @@ -642,33 +1120,33 @@ "digitalTwinsInstance_roleAssignments": { "copy": { "name": "digitalTwinsInstance_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.DigitalTwins/digitalTwinsInstances/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.DigitalTwins/digitalTwinsInstances', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "digitalTwinsInstance" ] }, - "digitalTwinsInstance_eventHubEndpoints": { + "digitalTwinsInstance_endpoints": { "copy": { - "name": "digitalTwinsInstance_eventHubEndpoints", - "count": "[length(coalesce(parameters('eventHubEndpoints'), createArray()))]" + "name": "digitalTwinsInstance_endpoints", + "count": "[length(coalesce(parameters('endpoints'), createArray()))]" }, "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-EventHub-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", + "name": "[format('{0}-DigitalTwinsInstance-Endpoints-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -678,15 +1156,12 @@ "digitalTwinInstanceName": { "value": "[parameters('name')]" }, - "name": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].name), createObject('value', 'EventHubEndpoint'))]", - "authenticationType": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'authenticationType'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].authenticationType), createObject('value', 'KeyBased'))]", - "connectionStringPrimaryKey": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'connectionStringPrimaryKey'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].connectionStringPrimaryKey), createObject('value', ''))]", - "connectionStringSecondaryKey": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'connectionStringSecondaryKey'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].connectionStringSecondaryKey), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'deadLetterSecret'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'deadLetterUri'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].deadLetterUri), createObject('value', ''))]", - "endpointUri": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'endpointUri'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].endpointUri), createObject('value', ''))]", - "entityPath": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'entityPath'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].entityPath), createObject('value', ''))]", - "managedIdentities": "[if(contains(coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()], 'managedIdentities'), createObject('value', coalesce(parameters('eventHubEndpoints'), createArray())[copyIndex()].managedIdentities), createObject('value', createObject()))]" + "name": { + "value": "[coalesce(tryGet(coalesce(parameters('endpoints'), createArray())[copyIndex()], 'name'), format('{0}Endpoint', coalesce(parameters('endpoints'), createArray())[copyIndex()].properties.endpointType))]" + }, + "properties": { + "value": "[coalesce(parameters('endpoints'), createArray())[copyIndex()].properties]" + } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -696,336 +1171,289 @@ "_generator": { "name": "bicep", "version": "0.32.4.45862", - "templateHash": "13923156882372448729" + "templateHash": "1872253241260109642" }, - "name": "Digital Twins Instance EventHub Endpoint", - "description": "This module deploys a Digital Twins Instance EventHub Endpoint.", - "owner": "Azure/module-maintainers" + "name": "Digital Twins Instance Endpoint", + "description": "This module deploys a Digital Twins Instance Endpoint." }, "definitions": { - "managedIdentitiesType": { + "propertiesType": { + "type": "object", + "discriminator": { + "propertyName": "endpointType", + "mapping": { + "EventGrid": { + "$ref": "#/definitions/eventGridPropertiesType" + }, + "EventHub": { + "$ref": "#/definitions/eventHubPropertiesType" + }, + "ServiceBus": { + "$ref": "#/definitions/serviceBusPropertiesType" + } + } + }, + "metadata": { + "__bicep_export!": true, + "description": "The type for the Digital Twin Endpoint." + } + }, + "eventGridPropertiesType": { "type": "object", "properties": { - "systemAssigned": { - "type": "bool", + "endpointType": { + "type": "string", + "allowedValues": [ + "EventGrid" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", "nullable": true, "metadata": { - "description": "Optional. Enables system assigned managed identity on the resource." + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." } }, - "userAssignedResourceId": { + "deadLetterUri": { "type": "string", "nullable": true, "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "eventGridTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Grid Topic to get access keys from." } } }, - "nullable": true - } - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventHubEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." - } - }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." - } - }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "connectionStringPrimaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "connectionStringSecondaryKey": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", "metadata": { - "description": "Optional. The EventHub name in the EventHub namespace for identity-based authentication." + "__bicep_export!": true, + "description": "The type for an event grid endpoint." } }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the EventHub namespace for identity-based authentication. It must include the protocol 'sb://' (i.e. sb://xyz.servicebus.windows.net)." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", - "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." - } - } - }, - "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(parameters('managedIdentities'), 'userAssignedResourceId')), null())]" - }, - "resources": { - "digitalTwinsInstance": { - "existing": true, - "type": "Microsoft.DigitalTwins/digitalTwinsInstances", - "apiVersion": "2023-01-31", - "name": "[parameters('digitalTwinInstanceName')]" - }, - "endpoint": { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", + "eventHubPropertiesType": { + "type": "object", "properties": { - "endpointType": "EventHub", - "authenticationType": "[parameters('authenticationType')]", - "connectionStringPrimaryKey": "[parameters('connectionStringPrimaryKey')]", - "connectionStringSecondaryKey": "[parameters('connectionStringSecondaryKey')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "identity": "[variables('identity')]" - } - } - }, - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." + "endpointType": { + "type": "string", + "allowedValues": [ + "EventHub" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + }, + "authentication": { + "$ref": "#/definitions/eventHubAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + } }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" + "__bicep_export!": true, + "description": "The type for an event hub endpoint." + } }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." + "eventHubAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/eventHubIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/eventHubKeyBasedAuthenticationPropertiesType" + } + } }, - "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", "metadata": { - "description": "The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API." - }, - "value": "[coalesce(tryGet(tryGet(reference('endpoint', '2023-01-31', 'full'), 'identity'), 'principalId'), '')]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_eventGridEndpoints": { - "copy": { - "name": "digitalTwinsInstance_eventGridEndpoints", - "count": "[length(coalesce(parameters('eventGridEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-EventGrid-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "digitalTwinInstanceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()].name), createObject('value', 'EventGridEndpoint'))]", - "topicEndpoint": "[if(contains(coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()], 'topicEndpoint'), createObject('value', coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()].topicEndpoint), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()], 'deadLetterSecret'), createObject('value', coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()].deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()], 'deadLetterUri'), createObject('value', coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()].deadLetterUri), createObject('value', ''))]", - "eventGridDomainResourceId": "[if(contains(coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()], 'eventGridDomainId'), createObject('value', coalesce(parameters('eventGridEndpoints'), createArray())[copyIndex()].eventGridDomainId), createObject('value', ''))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "14357918051528584394" + "__bicep_export!": true + } }, - "name": "Digital Twins Instance Event Grid Endpoints", - "description": "This module deploys a Digital Twins Instance Event Grid Endpoint.", - "owner": "Azure/module-maintainers" - }, - "parameters": { - "name": { - "type": "string", - "defaultValue": "EventGridEndpoint", - "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." + "eventHubIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + } } }, - "digitalTwinInstanceName": { - "type": "string", - "metadata": { - "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." + "eventHubKeyBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "eventHubResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource ID of the Event Hub Namespace Event Hub." + } + }, + "eventHubAuthorizationRuleName": { + "type": "string", + "metadata": { + "description": "Required. The name of the Event Hub Namespace Event Hub Authorization Rule." + } + } } }, - "topicEndpoint": { - "type": "string", + "serviceBusPropertiesType": { + "type": "object", + "properties": { + "endpointType": { + "type": "string", + "allowedValues": [ + "ServiceBus" + ], + "metadata": { + "description": "Required. The type of endpoint to create." + } + }, + "authentication": { + "$ref": "#/definitions/serviceBusNamespaceAuthorizationPropertiesType", + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint." + } + }, + "deadLetterSecret": { + "type": "securestring", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + } + }, + "deadLetterUri": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. Dead letter storage URL for identity-based authentication." + } + }, + "managedIdentities": { + "$ref": "#/definitions/managedIdentityAllType", + "nullable": true, + "metadata": { + "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + } + } + }, "metadata": { - "description": "Required. EventGrid Topic Endpoint." + "__bicep_export!": true, + "description": "The type for a service bus endpoint." } }, - "eventGridDomainResourceId": { - "type": "string", + "serviceBusNamespaceAuthorizationPropertiesType": { + "type": "object", + "discriminator": { + "propertyName": "type", + "mapping": { + "IdentityBased": { + "$ref": "#/definitions/serviceBusNamespaceIdentityBasedAuthenticationPropertiesType" + }, + "KeyBased": { + "$ref": "#/definitions/serviceBusNamespaceKeyBasedAuthenticationPropertiesType" + } + } + }, "metadata": { - "description": "Required. The resource ID of the Event Grid to get access keys from." + "__bicep_export!": true } }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." + "serviceBusNamespaceIdentityBasedAuthenticationPropertiesType": { + "type": "object", + "properties": { + "type": { + "type": "string", + "allowedValues": [ + "IdentityBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceTopicResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Topic resource ID." + } + } } }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - } - }, - "resources": [ - { - "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", - "apiVersion": "2023-01-31", - "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", + "serviceBusNamespaceKeyBasedAuthenticationPropertiesType": { + "type": "object", "properties": { - "endpointType": "EventGrid", - "authenticationType": "KeyBased", - "TopicEndpoint": "[parameters('topicEndpoint')]", - "accessKey1": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key1]", - "accessKey2": "[listkeys(parameters('eventGridDomainResourceId'), '2022-06-15').key2]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]" + "type": { + "type": "string", + "allowedValues": [ + "KeyBased" + ], + "metadata": { + "description": "Required. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is select, the endpointUri and entityPath properties must be specified." + } + }, + "serviceBusNamespaceAuthorizationRuleResourceId": { + "type": "string", + "metadata": { + "description": "Required. The ServiceBus Namespace Authorization Rule resource ID." + } + } } - } - ], - "outputs": { - "resourceId": { - "type": "string", - "metadata": { - "description": "The resource ID of the Endpoint." - }, - "value": "[resourceId('Microsoft.DigitalTwins/digitalTwinsInstances/endpoints', parameters('digitalTwinInstanceName'), parameters('name'))]" - }, - "resourceGroupName": { - "type": "string", - "metadata": { - "description": "The name of the resource group the resource was created in." - }, - "value": "[resourceGroup().name]" - }, - "name": { - "type": "string", - "metadata": { - "description": "The name of the Endpoint." - }, - "value": "[parameters('name')]" - } - } - } - }, - "dependsOn": [ - "digitalTwinsInstance" - ] - }, - "digitalTwinsInstance_serviceBusEndpoints": { - "copy": { - "name": "digitalTwinsInstance_serviceBusEndpoints", - "count": "[length(coalesce(parameters('serviceBusEndpoints'), createArray()))]" - }, - "type": "Microsoft.Resources/deployments", - "apiVersion": "2022-09-01", - "name": "[format('{0}-DigitalTwinsInstance-Endpoints-ServiceBus-{1}', uniqueString(deployment().name, parameters('location')), copyIndex())]", - "properties": { - "expressionEvaluationOptions": { - "scope": "inner" - }, - "mode": "Incremental", - "parameters": { - "digitalTwinInstanceName": { - "value": "[parameters('name')]" - }, - "name": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'name'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].name), createObject('value', 'ServiceBusEndpoint'))]", - "authenticationType": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'authenticationType'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].authenticationType), createObject('value', ''))]", - "deadLetterSecret": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'deadLetterSecret'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].deadLetterSecret), createObject('value', ''))]", - "deadLetterUri": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'deadLetterUri'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].deadLetterUri), createObject('value', ''))]", - "endpointUri": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'endpointUri'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].endpointUri), createObject('value', ''))]", - "entityPath": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'entityPath'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].entityPath), createObject('value', ''))]", - "primaryConnectionString": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'primaryConnectionString'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].primaryConnectionString), createObject('value', ''))]", - "secondaryConnectionString": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'secondaryConnectionString'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].secondaryConnectionString), createObject('value', ''))]", - "managedIdentities": "[if(contains(coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()], 'managedIdentities'), createObject('value', coalesce(parameters('serviceBusEndpoints'), createArray())[copyIndex()].managedIdentities), createObject('value', createObject()))]" - }, - "template": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "languageVersion": "2.0", - "contentVersion": "1.0.0.0", - "metadata": { - "_generator": { - "name": "bicep", - "version": "0.32.4.45862", - "templateHash": "9917080858184002423" }, - "name": "Digital Twins Instance ServiceBus Endpoint", - "description": "This module deploys a Digital Twins Instance ServiceBus Endpoint.", - "owner": "Azure/module-maintainers" - }, - "definitions": { - "managedIdentitiesType": { + "managedIdentityAllType": { "type": "object", "properties": { "systemAssigned": { @@ -1035,23 +1463,30 @@ "description": "Optional. Enables system assigned managed identity on the resource." } }, - "userAssignedResourceId": { - "type": "string", + "userAssignedResourceIds": { + "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { - "description": "Optional. The resource ID(s) to assign to the resource." + "description": "Optional. The resource ID(s) to assign to the resource. Required if a user assigned identity is used for encryption." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a managed identity configuration. To be used if both a system-assigned & user-assigned identities are supported by the resource provider.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.4.1" + } + } } }, "parameters": { "name": { "type": "string", - "defaultValue": "ServiceBusEndpoint", "metadata": { - "description": "Optional. The name of the Digital Twin Endpoint." + "description": "Required. The name of the Digital Twin Endpoint." } }, "digitalTwinInstanceName": { @@ -1060,70 +1495,74 @@ "description": "Conditional. The name of the parent Digital Twin Instance resource. Required if the template is used in a standalone deployment." } }, - "authenticationType": { - "type": "string", - "defaultValue": "IdentityBased", - "allowedValues": [ - "IdentityBased", - "KeyBased" - ], - "metadata": { - "description": "Optional. Specifies the authentication type being used for connecting to the endpoint. If 'KeyBased' is selected, a connection string must be specified (at least the primary connection string). If 'IdentityBased' is selected, the endpointUri and entityPath properties must be specified." - } - }, - "deadLetterSecret": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage secret for key-based authentication. Will be obfuscated during read." - } - }, - "deadLetterUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. Dead letter storage URL for identity-based authentication." - } - }, - "endpointUri": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The URL of the ServiceBus namespace for identity-based authentication. It must include the protocol 'sb://' (e.g. sb://xyz.servicebus.windows.net)." - } - }, - "entityPath": { - "type": "string", - "defaultValue": "", - "metadata": { - "description": "Optional. The ServiceBus Topic name for identity-based authentication." - } - }, - "primaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Conditional. PrimaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Required if the `authenticationType` is \"KeyBased\"." - } - }, - "secondaryConnectionString": { - "type": "securestring", - "defaultValue": "", - "metadata": { - "description": "Optional. SecondaryConnectionString of the endpoint for key-based authentication. Will be obfuscated during read. Only used if the `authenticationType` is \"KeyBased\"." - } - }, - "managedIdentities": { - "$ref": "#/definitions/managedIdentitiesType", + "properties": { + "$ref": "#/definitions/propertiesType", "metadata": { - "description": "Optional. The managed identity definition for this resource. Only one type of identity is supported: system-assigned or user-assigned, but not both." + "description": "Required. The properties of the endpoint." } } }, "variables": { - "identity": "[if(not(empty(parameters('managedIdentities'))), createObject('type', if(coalesce(tryGet(parameters('managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(parameters('managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(parameters('managedIdentities'), 'userAssignedResourceId')), null())]" + "identity": "[if(not(empty(tryGet(parameters('properties'), 'managedIdentities'))), createObject('type', if(coalesce(tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'systemAssigned'), false()), 'SystemAssigned', if(not(empty(coalesce(tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'userAssignedResourceId'), ''))), 'UserAssigned', null())), 'userAssignedIdentity', tryGet(tryGet(parameters('properties'), 'managedIdentities'), 'userAssignedResourceId')), null())]" }, "resources": { + "eventHubNamespace::eventHub::authorizationRule": { + "condition": "[and(and(equals(parameters('properties').endpointType, 'EventHub'), equals(parameters('properties').endpointType, 'EventHub')), not(empty(tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName'))))]", + "existing": true, + "type": "Microsoft.EventHub/namespaces/eventhubs/authorizationRules", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[format('{0}/{1}/{2}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName'))]" + }, + "eventHubNamespace::eventHub": { + "condition": "[and(equals(parameters('properties').endpointType, 'EventHub'), equals(parameters('properties').endpointType, 'EventHub'))]", + "existing": true, + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[format('{0}/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')))]" + }, + "serviceBusNamespace::topic": { + "condition": "[and(equals(parameters('properties').endpointType, 'ServiceBus'), not(empty(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'))))]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces/topics", + "apiVersion": "2024-01-01", + "name": "[format('{0}/{1}', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')))]" + }, + "serviceBusNamespace::authorizationRule": { + "condition": "[and(equals(parameters('properties').endpointType, 'ServiceBus'), not(empty(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'))))]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces/AuthorizationRules", + "apiVersion": "2024-01-01", + "name": "[format('{0}/{1}', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')))]" + }, + "eventGridTopic": { + "condition": "[equals(parameters('properties').endpointType, 'EventGrid')]", + "existing": true, + "type": "Microsoft.EventGrid/topics", + "apiVersion": "2022-06-15", + "subscriptionId": "[split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]]", + "name": "[last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))]" + }, + "eventHubNamespace": { + "condition": "[equals(parameters('properties').endpointType, 'EventHub')]", + "existing": true, + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2024-01-01", + "subscriptionId": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2]]", + "resourceGroup": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]]", + "name": "[split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8]]" + }, + "serviceBusNamespace": { + "condition": "[equals(parameters('properties').endpointType, 'ServiceBus')]", + "existing": true, + "type": "Microsoft.ServiceBus/namespaces", + "apiVersion": "2024-01-01", + "name": "[if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8])]" + }, "digitalTwinsInstance": { "existing": true, "type": "Microsoft.DigitalTwins/digitalTwinsInstances", @@ -1134,17 +1573,10 @@ "type": "Microsoft.DigitalTwins/digitalTwinsInstances/endpoints", "apiVersion": "2023-01-31", "name": "[format('{0}/{1}', parameters('digitalTwinInstanceName'), parameters('name'))]", - "properties": { - "endpointType": "ServiceBus", - "authenticationType": "[parameters('authenticationType')]", - "deadLetterSecret": "[parameters('deadLetterSecret')]", - "deadLetterUri": "[parameters('deadLetterUri')]", - "endpointUri": "[parameters('endpointUri')]", - "entityPath": "[parameters('entityPath')]", - "primaryConnectionString": "[parameters('primaryConnectionString')]", - "secondaryConnectionString": "[parameters('secondaryConnectionString')]", - "identity": "[variables('identity')]" - } + "properties": "[shallowMerge(createArray(createObject('endpointType', parameters('properties').endpointType, 'identity', variables('identity'), 'deadLetterSecret', tryGet(parameters('properties'), 'deadLetterSecret'), 'deadLetterUri', tryGet(parameters('properties'), 'deadLetterUri')), if(equals(parameters('properties').endpointType, 'EventGrid'), createObject('authenticationType', 'KeyBased', 'TopicEndpoint', tryGet(tryGet(reference('eventGridTopic', '2022-06-15', 'full'), 'properties'), 'endpoint'), 'accessKey1', listkeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]), 'Microsoft.EventGrid/topics', last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))), '2022-06-15').key1, 'accessKey2', listkeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '//'), '/')[2], split(coalesce(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '////'), '/')[4]), 'Microsoft.EventGrid/topics', last(split(tryGet(parameters('properties'), 'eventGridTopicResourceId'), '/'))), '2022-06-15').key2), createObject()), if(equals(parameters('properties').endpointType, 'EventHub'), shallowMerge(createArray(createObject('authenticationType', parameters('properties').authenticationType), if(equals(parameters('properties').authentication.type, 'IdentityBased'), createObject('endpointUri', format('sb://{0}.servicebus.windows.net/', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8]), 'entityPath', last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/'))), createObject('connectionStringPrimaryKey', listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2], split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]), 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName')), '2024-01-01').primaryConnectionString, 'connectionStringSecondaryKey', listKeys(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', split(coalesce(parameters('properties').authentication.eventHubResourceId, '//'), '/')[2], split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[4]), 'Microsoft.EventHub/namespaces/eventhubs/authorizationRules', split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')[8], last(split(coalesce(parameters('properties').authentication.eventHubResourceId, '////'), '/')), tryGet(parameters('properties').authentication, 'eventHubAuthorizationRuleName')), '2024-01-01').secondaryConnectionString)))), createObject()), if(equals(parameters('properties').endpointType, 'ServiceBus'), shallowMerge(createArray(createObject('authenticationType', parameters('properties').authentication.type), if(equals(parameters('properties').authentication.type, 'IdentityBased'), createObject('endpointUri', format('sb://{0}.servicebus.windows.net/', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8])), 'entityPath', last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/'))), createObject('primaryConnectionString', listKeys(resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/'))), '2024-01-01').primaryConnectionString, 'secondaryConnectionString', listKeys(resourceId('Microsoft.ServiceBus/namespaces/AuthorizationRules', if(equals(parameters('properties').authentication.type, 'IdentityBased'), split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceTopicResourceId'), '/')[8], split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/')[8]), last(split(tryGet(parameters('properties').authentication, 'serviceBusNamespaceAuthorizationRuleResourceId'), '/'))), '2024-01-01').secondaryConnectionString)))), createObject())))]", + "dependsOn": [ + "eventGridTopic" + ] } }, "outputs": { @@ -1168,13 +1600,6 @@ "description": "The name of the Endpoint." }, "value": "[parameters('name')]" - }, - "systemAssignedMIPrincipalId": { - "type": "string", - "metadata": { - "description": "The principal ID of the system assigned identity. Note: As of 2024-03 is not exported by API." - }, - "value": "[coalesce(tryGet(tryGet(reference('endpoint', '2023-01-31', 'full'), 'identity'), 'principalId'), '')]" } } } @@ -1215,11 +1640,8 @@ "lock": { "value": "[coalesce(tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'lock'), parameters('lock'))]" }, - "privateDnsZoneGroupName": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroupName')]" - }, - "privateDnsZoneResourceIds": { - "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneResourceIds')]" + "privateDnsZoneGroup": { + "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'privateDnsZoneGroup')]" }, "roleAssignments": { "value": "[tryGet(coalesce(parameters('privateEndpoints'), createArray())[copyIndex()], 'roleAssignments')]" @@ -1247,79 +1669,189 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "4120048060064073955" + "version": "0.30.23.60470", + "templateHash": "6724714132049298262" }, "name": "Private Endpoints", "description": "This module deploys a Private Endpoint.", "owner": "Azure/module-maintainers" }, "definitions": { - "roleAssignmentType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "roleDefinitionIdOrName": { - "type": "string", - "metadata": { - "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." - } - }, - "principalId": { - "type": "string", - "metadata": { - "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." - } + "privateDnsZoneGroupType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the Private DNS Zone Group." + } + }, + "privateDnsZoneGroupConfigs": { + "type": "array", + "items": { + "$ref": "#/definitions/privateDnsZoneGroupConfigType" }, - "principalType": { - "type": "string", - "allowedValues": [ - "Device", - "ForeignGroup", - "Group", - "ServicePrincipal", - "User" - ], - "nullable": true, - "metadata": { - "description": "Optional. The principal type of the assigned principal ID." + "metadata": { + "description": "Required. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "ipConfigurationType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the resource that is unique within a resource group." + } + }, + "properties": { + "type": "object", + "properties": { + "groupId": { + "type": "string", + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "memberName": { + "type": "string", + "metadata": { + "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string." + } + }, + "privateIPAddress": { + "type": "string", + "metadata": { + "description": "Required. A private IP address obtained from the private endpoint's subnet." + } } }, - "description": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The description of the role assignment." + "metadata": { + "description": "Required. Properties of private endpoint IP configurations." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "manualPrivateLinkServiceConnectionType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string array `[]`." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } } }, - "condition": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "privateLinkServiceConnectionType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "metadata": { + "description": "Required. The name of the private link service connection." + } + }, + "properties": { + "type": "object", + "properties": { + "groupIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to. If used with private link service connection, this property must be defined as empty string array `[]`." + } + }, + "privateLinkServiceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of private link service." + } + }, + "requestMessage": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." + } } }, - "conditionVersion": { - "type": "string", - "allowedValues": [ - "2.0" - ], - "nullable": true, - "metadata": { - "description": "Optional. Version of the condition." - } + "metadata": { + "description": "Required. Properties of private link service connection." + } + } + }, + "metadata": { + "__bicep_export!": true + } + }, + "customDnsConfigType": { + "type": "object", + "properties": { + "fqdn": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. FQDN that resolves to private endpoint IP address." + } + }, + "ipAddresses": { + "type": "array", + "items": { + "type": "string" }, - "delegatedManagedIdentityResourceId": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. The Resource Id of the delegated managed identity resource." - } + "metadata": { + "description": "Required. A list of private IP addresses of the private endpoint." } } }, - "nullable": true + "metadata": { + "__bicep_export!": true + } }, "lockType": { "type": "object", @@ -1344,155 +1876,110 @@ } } }, - "nullable": true - }, - "ipConfigurationsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the resource that is unique within a resource group." - } - }, - "properties": { - "type": "object", - "properties": { - "groupId": { - "type": "string", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "memberName": { - "type": "string", - "metadata": { - "description": "Required. The member name of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateIPAddress": { - "type": "string", - "metadata": { - "description": "Required. A private IP address obtained from the private endpoint's subnet." - } - } - }, - "metadata": { - "description": "Required. Properties of private endpoint IP configurations." - } - } + "metadata": { + "description": "An AVM-aligned type for a lock.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" } - }, - "nullable": true + } }, - "manualPrivateLinkServiceConnectionsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the private link service connection." - } - }, - "properties": { - "type": "object", - "properties": { - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateLinkServiceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of private link service." - } - }, - "requestMessage": { - "type": "string", - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." - } - } - }, - "metadata": { - "description": "Required. Properties of private link service connection." - } + "privateDnsZoneGroupConfigType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group config." } - } - }, - "nullable": true - }, - "privateLinkServiceConnectionsType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "name": { - "type": "string", - "metadata": { - "description": "Required. The name of the private link service connection." - } - }, - "properties": { - "type": "object", - "properties": { - "groupIds": { - "type": "array", - "metadata": { - "description": "Required. The ID of a group obtained from the remote resource that this private endpoint should connect to." - } - }, - "privateLinkServiceId": { - "type": "string", - "metadata": { - "description": "Required. The resource id of private link service." - } - }, - "requestMessage": { - "type": "string", - "nullable": true, - "metadata": { - "description": "Optional. A message passed to the owner of the remote resource with this connection request. Restricted to 140 chars." - } - } - }, - "metadata": { - "description": "Required. Properties of private link service connection." - } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." } } }, - "nullable": true + "metadata": { + "__bicep_imported_from!": { + "sourceTemplate": "private-dns-zone-group/main.bicep" + } + } }, - "customDnsConfigType": { - "type": "array", - "items": { - "type": "object", - "properties": { - "fqdn": { - "type": "string", - "metadata": { - "description": "Required. Fqdn that resolves to private endpoint IP address." - } - }, - "ipAddresses": { - "type": "array", - "items": { - "type": "string" - }, - "metadata": { - "description": "Required. A list of private IP addresses of the private endpoint." - } + "roleAssignmentType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name (as GUID) of the role assignment. If not provided, a GUID will be generated." + } + }, + "roleDefinitionIdOrName": { + "type": "string", + "metadata": { + "description": "Required. The role to assign. You can provide either the display name of the role definition, the role definition GUID, or its fully qualified ID in the following format: '/providers/Microsoft.Authorization/roleDefinitions/c2f4ef07-c644-48eb-af81-4b1b4947fb11'." + } + }, + "principalId": { + "type": "string", + "metadata": { + "description": "Required. The principal ID of the principal (user/group/identity) to assign the role to." + } + }, + "principalType": { + "type": "string", + "allowedValues": [ + "Device", + "ForeignGroup", + "Group", + "ServicePrincipal", + "User" + ], + "nullable": true, + "metadata": { + "description": "Optional. The principal type of the assigned principal ID." + } + }, + "description": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The description of the role assignment." + } + }, + "condition": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The conditions on the role assignment. This limits the resources it can be assigned to. e.g.: @Resource[Microsoft.Storage/storageAccounts/blobServices/containers:ContainerName] StringEqualsIgnoreCase \"foo_storage_container\"." + } + }, + "conditionVersion": { + "type": "string", + "allowedValues": [ + "2.0" + ], + "nullable": true, + "metadata": { + "description": "Optional. Version of the condition." + } + }, + "delegatedManagedIdentityResourceId": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The Resource Id of the delegated managed identity resource." } } }, - "nullable": true + "metadata": { + "description": "An AVM-aligned type for a role assignment.", + "__bicep_imported_from!": { + "sourceTemplate": "br:mcr.microsoft.com/bicep/avm/utl/types/avm-common-types:0.2.1" + } + } } }, "parameters": { @@ -1510,6 +1997,9 @@ }, "applicationSecurityGroupResourceIds": { "type": "array", + "items": { + "type": "string" + }, "nullable": true, "metadata": { "description": "Optional. Application security groups in which the private endpoint IP configuration is included." @@ -1523,23 +2013,20 @@ } }, "ipConfigurations": { - "$ref": "#/definitions/ipConfigurationsType", - "metadata": { - "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." - } - }, - "privateDnsZoneGroupName": { - "type": "string", + "type": "array", + "items": { + "$ref": "#/definitions/ipConfigurationType" + }, "nullable": true, "metadata": { - "description": "Optional. The name of the private DNS zone group to create if `privateDnsZoneResourceIds` were provided." + "description": "Optional. A list of IP configurations of the private endpoint. This will be used to map to the First Party Service endpoints." } }, - "privateDnsZoneResourceIds": { - "type": "array", + "privateDnsZoneGroup": { + "$ref": "#/definitions/privateDnsZoneGroupType", "nullable": true, "metadata": { - "description": "Optional. The private DNS zone groups to associate the private endpoint. A DNS zone group can support up to 5 DNS zones." + "description": "Optional. The private DNS zone group to configure for the private endpoint." } }, "location": { @@ -1551,12 +2038,17 @@ }, "lock": { "$ref": "#/definitions/lockType", + "nullable": true, "metadata": { "description": "Optional. The lock settings of the service." } }, "roleAssignments": { - "$ref": "#/definitions/roleAssignmentType", + "type": "array", + "items": { + "$ref": "#/definitions/roleAssignmentType" + }, + "nullable": true, "metadata": { "description": "Optional. Array of role assignments to create." } @@ -1569,19 +2061,31 @@ } }, "customDnsConfigs": { - "$ref": "#/definitions/customDnsConfigType", + "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, + "nullable": true, "metadata": { "description": "Optional. Custom DNS configurations." } }, "manualPrivateLinkServiceConnections": { - "$ref": "#/definitions/manualPrivateLinkServiceConnectionsType", + "type": "array", + "items": { + "$ref": "#/definitions/manualPrivateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { "description": "Optional. A grouping of information about the connection to the remote resource. Used when the network admin does not have access to approve connections to the remote resource." } }, "privateLinkServiceConnections": { - "$ref": "#/definitions/privateLinkServiceConnectionsType", + "type": "array", + "items": { + "$ref": "#/definitions/privateLinkServiceConnectionType" + }, + "nullable": true, "metadata": { "description": "Optional. A grouping of information about the connection to the remote resource." } @@ -1595,6 +2099,13 @@ } }, "variables": { + "copy": [ + { + "name": "formattedRoleAssignments", + "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]", + "input": "[union(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')], createObject('roleDefinitionId', coalesce(tryGet(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName), if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex('formattedRoleAssignments')].roleDefinitionIdOrName)))))]" + } + ], "builtInRoleNames": { "Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c')]", "DNS Resolver Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '0f2ebee7-ffd4-4fc0-b3b7-664099fdad5d')]", @@ -1605,15 +2116,15 @@ "Owner": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '8e3af657-a8ff-443c-a75c-2fe8c4bcb635')]", "Private DNS Zone Contributor": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b12aa53e-6015-4669-85d0-8515ebb3ae7f')]", "Reader": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7')]", - "Role Based Access Control Administrator (Preview)": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" + "Role Based Access Control Administrator": "[subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f58310d9-a9f6-439a-9e8d-f62e7b41a168')]" } }, "resources": { "avmTelemetry": { "condition": "[parameters('enableTelemetry')]", "type": "Microsoft.Resources/deployments", - "apiVersion": "2023-07-01", - "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.4.1', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", + "apiVersion": "2024-03-01", + "name": "[format('46d3xbcp.res.network-privateendpoint.{0}.{1}', replace('0.9.0', '.', '-'), substring(uniqueString(deployment().name, parameters('location')), 0, 4))]", "properties": { "mode": "Incremental", "template": { @@ -1631,7 +2142,7 @@ }, "privateEndpoint": { "type": "Microsoft.Network/privateEndpoints", - "apiVersion": "2023-04-01", + "apiVersion": "2023-11-01", "name": "[parameters('name')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -1672,27 +2183,27 @@ "privateEndpoint_roleAssignments": { "copy": { "name": "privateEndpoint_roleAssignments", - "count": "[length(coalesce(parameters('roleAssignments'), createArray()))]" + "count": "[length(coalesce(variables('formattedRoleAssignments'), createArray()))]" }, "type": "Microsoft.Authorization/roleAssignments", "apiVersion": "2022-04-01", "scope": "[format('Microsoft.Network/privateEndpoints/{0}', parameters('name'))]", - "name": "[guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId, coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)]", + "name": "[coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'name'), guid(resourceId('Microsoft.Network/privateEndpoints', parameters('name')), coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId, coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId))]", "properties": { - "roleDefinitionId": "[if(contains(variables('builtInRoleNames'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName), variables('builtInRoleNames')[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName], if(contains(coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, '/providers/Microsoft.Authorization/roleDefinitions/'), coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName, subscriptionResourceId('Microsoft.Authorization/roleDefinitions', coalesce(parameters('roleAssignments'), createArray())[copyIndex()].roleDefinitionIdOrName)))]", - "principalId": "[coalesce(parameters('roleAssignments'), createArray())[copyIndex()].principalId]", - "description": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'description')]", - "principalType": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'principalType')]", - "condition": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition')]", - "conditionVersion": "[if(not(empty(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", - "delegatedManagedIdentityResourceId": "[tryGet(coalesce(parameters('roleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" + "roleDefinitionId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].roleDefinitionId]", + "principalId": "[coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()].principalId]", + "description": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'description')]", + "principalType": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'principalType')]", + "condition": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition')]", + "conditionVersion": "[if(not(empty(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'condition'))), coalesce(tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'conditionVersion'), '2.0'), null())]", + "delegatedManagedIdentityResourceId": "[tryGet(coalesce(variables('formattedRoleAssignments'), createArray())[copyIndex()], 'delegatedManagedIdentityResourceId')]" }, "dependsOn": [ "privateEndpoint" ] }, "privateEndpoint_privateDnsZoneGroup": { - "condition": "[not(empty(parameters('privateDnsZoneResourceIds')))]", + "condition": "[not(empty(parameters('privateDnsZoneGroup')))]", "type": "Microsoft.Resources/deployments", "apiVersion": "2022-09-01", "name": "[format('{0}-PrivateEndpoint-PrivateDnsZoneGroup', uniqueString(deployment().name))]", @@ -1703,28 +2214,52 @@ "mode": "Incremental", "parameters": { "name": { - "value": "[coalesce(parameters('privateDnsZoneGroupName'), 'default')]" - }, - "privateDNSResourceIds": { - "value": "[coalesce(parameters('privateDnsZoneResourceIds'), createArray())]" + "value": "[tryGet(parameters('privateDnsZoneGroup'), 'name')]" }, "privateEndpointName": { "value": "[parameters('name')]" + }, + "privateDnsZoneConfigs": { + "value": "[parameters('privateDnsZoneGroup').privateDnsZoneGroupConfigs]" } }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "languageVersion": "2.0", "contentVersion": "1.0.0.0", "metadata": { "_generator": { "name": "bicep", - "version": "0.25.53.49325", - "templateHash": "11244630631275470040" + "version": "0.30.23.60470", + "templateHash": "12329174801198479603" }, "name": "Private Endpoint Private DNS Zone Groups", "description": "This module deploys a Private Endpoint Private DNS Zone Group.", "owner": "Azure/module-maintainers" }, + "definitions": { + "privateDnsZoneGroupConfigType": { + "type": "object", + "properties": { + "name": { + "type": "string", + "nullable": true, + "metadata": { + "description": "Optional. The name of the private DNS zone group config." + } + }, + "privateDnsZoneResourceId": { + "type": "string", + "metadata": { + "description": "Required. The resource id of the private DNS zone." + } + } + }, + "metadata": { + "__bicep_export!": true + } + } + }, "parameters": { "privateEndpointName": { "type": "string", @@ -1732,12 +2267,15 @@ "description": "Conditional. The name of the parent private endpoint. Required if the template is used in a standalone deployment." } }, - "privateDNSResourceIds": { + "privateDnsZoneConfigs": { "type": "array", + "items": { + "$ref": "#/definitions/privateDnsZoneGroupConfigType" + }, "minLength": 1, "maxLength": 5, "metadata": { - "description": "Required. Array of private DNS zone resource IDs. A DNS zone group can support up to 5 DNS zones." + "description": "Required. Array of private DNS zone configurations of the private DNS zone group. A DNS zone group can support up to 5 DNS zones." } }, "name": { @@ -1751,27 +2289,36 @@ "variables": { "copy": [ { - "name": "privateDnsZoneConfigs", - "count": "[length(parameters('privateDNSResourceIds'))]", + "name": "privateDnsZoneConfigsVar", + "count": "[length(parameters('privateDnsZoneConfigs'))]", "input": { - "name": "[last(split(parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')], '/'))]", + "name": "[coalesce(tryGet(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')], 'name'), last(split(parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId, '/')))]", "properties": { - "privateDnsZoneId": "[parameters('privateDNSResourceIds')[copyIndex('privateDnsZoneConfigs')]]" + "privateDnsZoneId": "[parameters('privateDnsZoneConfigs')[copyIndex('privateDnsZoneConfigsVar')].privateDnsZoneResourceId]" } } } ] }, - "resources": [ - { + "resources": { + "privateEndpoint": { + "existing": true, + "type": "Microsoft.Network/privateEndpoints", + "apiVersion": "2023-11-01", + "name": "[parameters('privateEndpointName')]" + }, + "privateDnsZoneGroup": { "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", - "apiVersion": "2023-04-01", + "apiVersion": "2023-11-01", "name": "[format('{0}/{1}', parameters('privateEndpointName'), parameters('name'))]", "properties": { - "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigs')]" - } + "privateDnsZoneConfigs": "[variables('privateDnsZoneConfigsVar')]" + }, + "dependsOn": [ + "privateEndpoint" + ] } - ], + }, "outputs": { "name": { "type": "string", @@ -1829,14 +2376,35 @@ "metadata": { "description": "The location the resource was deployed into." }, - "value": "[reference('privateEndpoint', '2023-04-01', 'full').location]" + "value": "[reference('privateEndpoint', '2023-11-01', 'full').location]" + }, + "customDnsConfig": { + "type": "array", + "items": { + "$ref": "#/definitions/customDnsConfigType" + }, + "metadata": { + "description": "The custom DNS configurations of the private endpoint." + }, + "value": "[reference('privateEndpoint').customDnsConfigs]" + }, + "networkInterfaceResourceIds": { + "type": "array", + "items": { + "type": "string" + }, + "metadata": { + "description": "The resource IDs of the network interfaces associated with the private endpoint." + }, + "value": "[map(reference('privateEndpoint').networkInterfaces, lambda('nic', lambdaVariables('nic').id))]" }, "groupId": { "type": "string", + "nullable": true, "metadata": { "description": "The group Id for the private endpoint Group." }, - "value": "[if(not(empty(reference('privateEndpoint').manualPrivateLinkServiceConnections)), reference('privateEndpoint').manualPrivateLinkServiceConnections[0].properties.groupIds[0], reference('privateEndpoint').privateLinkServiceConnections[0].properties.groupIds[0])]" + "value": "[coalesce(tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'manualPrivateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0), tryGet(tryGet(tryGet(tryGet(reference('privateEndpoint'), 'privateLinkServiceConnections'), 0, 'properties'), 'groupIds'), 0))]" } } } @@ -1884,10 +2452,30 @@ }, "systemAssignedMIPrincipalId": { "type": "string", + "nullable": true, "metadata": { "description": "The principal ID of the system assigned identity." }, - "value": "[coalesce(tryGet(tryGet(reference('digitalTwinsInstance', '2023-01-31', 'full'), 'identity'), 'principalId'), '')]" + "value": "[tryGet(tryGet(reference('digitalTwinsInstance', '2023-01-31', 'full'), 'identity'), 'principalId')]" + }, + "privateEndpoints": { + "type": "array", + "items": { + "$ref": "#/definitions/privateEndpointOutputType" + }, + "metadata": { + "description": "The private endpoints of the key vault." + }, + "copy": { + "count": "[length(coalesce(parameters('privateEndpoints'), createArray()))]", + "input": { + "name": "[reference(format('digitalTwinsInstance_privateEndpoints[{0}]', copyIndex())).outputs.name.value]", + "resourceId": "[reference(format('digitalTwinsInstance_privateEndpoints[{0}]', copyIndex())).outputs.resourceId.value]", + "groupId": "[reference(format('digitalTwinsInstance_privateEndpoints[{0}]', copyIndex())).outputs.groupId.value]", + "customDnsConfigs": "[reference(format('digitalTwinsInstance_privateEndpoints[{0}]', copyIndex())).outputs.customDnsConfig.value]", + "networkInterfaceResourceIds": "[reference(format('digitalTwinsInstance_privateEndpoints[{0}]', copyIndex())).outputs.networkInterfaceResourceIds.value]" + } + } } } } \ No newline at end of file diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep index ea5443ccc1..f5361c9750 100644 --- a/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/dependencies.bicep @@ -13,11 +13,11 @@ param eventHubNamespaceName string @description('Required. The name of the Event Hub to create.') param eventHubName string -@description('Required. Service Bus name') -param serviceBusName string +@description('Required. The name of the Service Bus Namespace to create.') +param serviceBusNamespaceName string -@description('Required. Event Grid Domain name.') -param eventGridDomainName string +@description('Required. The name of the Event Grid Topic to create.') +param eventGridTopicName string var addressPrefix = '10.0.0.0/16' @@ -67,6 +67,11 @@ resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { } } +resource eventGridTopic 'Microsoft.EventGrid/topics@2022-06-15' = { + name: eventGridTopicName + location: location +} + resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { name: eventHubNamespaceName location: location @@ -78,11 +83,21 @@ resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = resource eventHub 'eventhubs@2022-10-01-preview' = { name: eventHubName + + resource authorizationRule 'authorizationRules@2024-01-01' = { + name: 'testRule' + properties: { + rights: [ + 'Listen' + 'Send' + ] + } + } } } -resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { - name: serviceBusName +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { + name: serviceBusNamespaceName location: location properties: { zoneRedundant: false @@ -90,18 +105,17 @@ resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { resource topic 'topics@2022-10-01-preview' = { name: 'topic' - } -} - -resource eventGridDomain 'Microsoft.EventGrid/domains@2022-06-15' = { - name: eventGridDomainName - location: location - properties: { - disableLocalAuth: false - } - resource topic 'topics@2022-06-15' = { - name: 'topic' + resource authorizationRule 'authorizationRules@2024-01-01' = { + name: 'testRule' + properties: { + rights: [ + 'Listen' + 'Send' + 'Manage' + ] + } + } } } @@ -120,7 +134,7 @@ resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignment resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { name: guid(managedIdentity.id, 'sbrbacAssignment') - scope: serviceBus + scope: serviceBusNamespace properties: { roleDefinitionId: subscriptionResourceId( 'Microsoft.Authorization/roleDefinitions', @@ -141,28 +155,25 @@ output managedIdentityPrincipalId string = managedIdentity.properties.principalI output privateDNSZoneResourceId string = privateDNSZone.id @description('The name of the Event Hub Namespace.') -output eventhubNamespaceName string = eventHubNamespace.name +output eventHubNamespaceName string = eventHubNamespace.name -@description('The resource ID of the created Event Hub Namespace.') -output eventHubResourceId string = eventHubNamespace::eventHub.id +@description('The name of the Event Hub Namespace Event Hub Authorization Rule.') +output eventHubNamespaceEventHubAuthorizationRuleName string = eventHubNamespace::eventHub::authorizationRule.name -@description('The name of the Event Hub.') -output eventhubName string = eventHubNamespace::eventHub.name +@description('The resource ID of the Service Bus Namespace Topic.') +output serviceBusNamespaceTopicResourceId string = serviceBusNamespace::topic.id -@description('The name of the Service Bus Namespace.') -output serviceBusName string = serviceBus.name +@description('The resource ID of the Service Bus Namespace Topic Authorization Rule.') +output serviceBusNamespaceTopicAuthorizationRuleName string = serviceBusNamespace::topic::authorizationRule.name -@description('The name of the Service Bus Topic.') -output serviceBusTopicName string = serviceBus::topic.name - -@description('The Event Grid endpoint uri.') -output eventGridEndpoint string = eventGridDomain.properties.endpoint +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id @description('The resource ID of the created Event Grid Topic.') -output eventGridTopicResourceId string = eventGridDomain::topic.id +output eventGridTopicResourceId string = eventGridTopic.id -@description('The resource ID of the created Event Grid Domain.') -output eventGridDomainResourceId string = eventGridDomain.id +@description('The endpoint of the created Event Grid Topic.') +output eventGridTopicEndpoint string = eventGridTopic.properties.endpoint -@description('The resource ID of the created Managed Identity.') -output managedIdentityResourceId string = managedIdentity.id +@description('The resource ID of the created Event Hub Namespace Event Hub.') +output eventHubNamespaceEventHubResourceId string = eventHubNamespace::eventHub.id diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep index 896cffba56..6932a55238 100644 --- a/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/max/main.test.bicep @@ -38,10 +38,10 @@ module nestedDependencies 'dependencies.bicep' = { location: resourceLocation virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' - eventHubName: 'dt-${serviceShort}-evh-01' - eventHubNamespaceName: 'dt-${serviceShort}-evhns-01' - serviceBusName: 'dt-${serviceShort}-sb-01' - eventGridDomainName: 'dt-${serviceShort}-evg-01' + eventHubName: 'dep-${serviceShort}-evh-01' + eventHubNamespaceName: 'dep-${serviceShort}-evhns-01' + serviceBusNamespaceName: 'dep-${serviceShort}-sb-01' + eventGridTopicName: 'dep-${serviceShort}-evgt-01' } } @@ -77,40 +77,75 @@ module testDeployment '../../../main.bicep' = [ nestedDependencies.outputs.managedIdentityResourceId ] } - eventHubEndpoints: [ + endpoints: [ { - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.eventhubName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + name: 'EventGridPrimary' + properties: { + endpointType: 'EventGrid' + eventGridTopicResourceId: nestedDependencies.outputs.eventGridTopicResourceId + eventGridTopicEndpoint: nestedDependencies.outputs.eventGridTopicEndpoint } } - ] - serviceBusEndpoints: [ { - name: 'ServiceBusPrimary' - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - managedIdentities: { - userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + name: 'IdentityBasedEndpoint' + properties: { + endpointType: 'EventHub' + authentication: { + eventHubResourceId: nestedDependencies.outputs.eventHubNamespaceEventHubResourceId + type: 'IdentityBased' + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + } } } { - name: 'ServiceBusSeconday' - authenticationType: 'IdentityBased' - endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' - entityPath: nestedDependencies.outputs.serviceBusTopicName - managedIdentities: { - systemAssigned: true + name: 'KeyBasedEndpoint' + properties: { + endpointType: 'EventHub' + authentication: { + eventHubAuthorizationRuleName: nestedDependencies.outputs.eventHubNamespaceEventHubAuthorizationRuleName + eventHubResourceId: nestedDependencies.outputs.eventHubNamespaceEventHubResourceId + type: 'KeyBased' + } + } + } + { + name: 'IdentityBasedServiceBusPrimaryEndpoint' + properties: { + endpointType: 'ServiceBus' + authentication: { + type: 'IdentityBased' + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + } } } - ] - eventGridEndpoints: [ { - eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId - topicEndpoint: nestedDependencies.outputs.eventGridEndpoint + name: 'IdentityBasedServiceBusSecondaryEndpoint' + properties: { + endpointType: 'ServiceBus' + authentication: { + type: 'IdentityBased' + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + managedIdentities: { + systemAssigned: true + } + } + } + } + { + name: 'KeyBasedServiceBusEndpoint' + properties: { + authentication: { + type: 'KeyBased' + serviceBusNamespaceTopicAuthorizationRuleName: nestedDependencies.outputs.serviceBusNamespaceTopicAuthorizationRuleName + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + } + endpointType: 'ServiceBus' + } } ] diagnosticSettings: [ @@ -133,9 +168,13 @@ module testDeployment '../../../main.bicep' = [ } privateEndpoints: [ { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + } + ] + } subnetResourceId: nestedDependencies.outputs.subnetResourceId } ] @@ -165,9 +204,5 @@ module testDeployment '../../../main.bicep' = [ Role: 'DeploymentValidation' } } - dependsOn: [ - nestedDependencies - diagnosticDependencies - ] } ] diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/pe/main.test.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/pe/main.test.bicep index 7bdd327bdb..ea132de61b 100644 --- a/avm/res/digital-twins/digital-twins-instance/tests/e2e/pe/main.test.bicep +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/pe/main.test.bicep @@ -50,25 +50,29 @@ module testDeployment '../../../main.bicep' = [ scope: resourceGroup name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { - location: resourceLocation name: '${namePrefix}${serviceShort}001' privateEndpoints: [ { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + } + ] + } subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId } { - privateDnsZoneResourceIds: [ - nestedDependencies.outputs.privateDNSZoneResourceId - ] + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + } + ] + } subnetResourceId: nestedDependencies.outputs.pepTestSubnetResourceId } ] } - dependsOn: [ - nestedDependencies - ] } ] diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/dependencies.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/dependencies.bicep new file mode 100644 index 0000000000..f5361c9750 --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/dependencies.bicep @@ -0,0 +1,179 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Event Hub Namespace to create.') +param eventHubNamespaceName string + +@description('Required. The name of the Event Hub to create.') +param eventHubName string + +@description('Required. The name of the Service Bus Namespace to create.') +param serviceBusNamespaceName string + +@description('Required. The name of the Event Grid Topic to create.') +param eventGridTopicName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.digitaltwins.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource eventGridTopic 'Microsoft.EventGrid/topics@2022-06-15' = { + name: eventGridTopicName + location: location +} + +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { + name: eventHubNamespaceName + location: location + properties: { + zoneRedundant: false + isAutoInflateEnabled: false + maximumThroughputUnits: 0 + } + + resource eventHub 'eventhubs@2022-10-01-preview' = { + name: eventHubName + + resource authorizationRule 'authorizationRules@2024-01-01' = { + name: 'testRule' + properties: { + rights: [ + 'Listen' + 'Send' + ] + } + } + } +} + +resource serviceBusNamespace 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { + name: serviceBusNamespaceName + location: location + properties: { + zoneRedundant: false + } + + resource topic 'topics@2022-10-01-preview' = { + name: 'topic' + + resource authorizationRule 'authorizationRules@2024-01-01' = { + name: 'testRule' + properties: { + rights: [ + 'Listen' + 'Send' + 'Manage' + ] + } + } + } +} + +resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'evhrbacAssignment') + scope: eventHubNamespace + properties: { + roleDefinitionId: subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '2b629674-e913-4c01-ae53-ef4638d8f975' + ) //Azure Event Hubs Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'sbrbacAssignment') + scope: serviceBusNamespace + properties: { + roleDefinitionId: subscriptionResourceId( + 'Microsoft.Authorization/roleDefinitions', + '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39' + ) //Azure Service Bus Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The name of the Event Hub Namespace.') +output eventHubNamespaceName string = eventHubNamespace.name + +@description('The name of the Event Hub Namespace Event Hub Authorization Rule.') +output eventHubNamespaceEventHubAuthorizationRuleName string = eventHubNamespace::eventHub::authorizationRule.name + +@description('The resource ID of the Service Bus Namespace Topic.') +output serviceBusNamespaceTopicResourceId string = serviceBusNamespace::topic.id + +@description('The resource ID of the Service Bus Namespace Topic Authorization Rule.') +output serviceBusNamespaceTopicAuthorizationRuleName string = serviceBusNamespace::topic::authorizationRule.name + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Event Grid Topic.') +output eventGridTopicResourceId string = eventGridTopic.id + +@description('The endpoint of the created Event Grid Topic.') +output eventGridTopicEndpoint string = eventGridTopic.properties.endpoint + +@description('The resource ID of the created Event Hub Namespace Event Hub.') +output eventHubNamespaceEventHubResourceId string = eventHubNamespace::eventHub.id diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/main.test.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/main.test.bicep new file mode 100644 index 0000000000..8657ae234f --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/testMe/main.test.bicep @@ -0,0 +1,136 @@ +targetScope = 'subscription' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param resourceLocation string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'alsehr' + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '#_namePrefix_#' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: resourceLocation +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + eventHubName: 'dep-${serviceShort}-evh-01' + eventHubNamespaceName: 'dep-${serviceShort}-evhns-01' + serviceBusNamespaceName: 'dep-${serviceShort}-sb-01' + eventGridTopicName: 'dep-${serviceShort}-evgt-01' + } +} + +// ============== // +// Test Execution // +// ============== // + +@batchSize(1) +module testDeployment '../../../main.bicep' = [ + for iteration in ['init', 'idem']: { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' + params: { + name: '${namePrefix}${serviceShort}001' + location: resourceLocation + managedIdentities: { + systemAssigned: true + userAssignedResourceIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + endpoints: [ + { + name: 'EventGridPrimary' + properties: { + endpointType: 'EventGrid' + eventGridTopicResourceId: nestedDependencies.outputs.eventGridTopicResourceId + eventGridTopicEndpoint: nestedDependencies.outputs.eventGridTopicEndpoint + } + } + { + name: 'IdentityBasedEndpoint' + properties: { + endpointType: 'EventHub' + authentication: { + eventHubResourceId: nestedDependencies.outputs.eventHubNamespaceEventHubResourceId + type: 'IdentityBased' + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + } + } + } + { + name: 'KeyBasedEndpoint' + properties: { + endpointType: 'EventHub' + authentication: { + eventHubAuthorizationRuleName: nestedDependencies.outputs.eventHubNamespaceEventHubAuthorizationRuleName + eventHubResourceId: nestedDependencies.outputs.eventHubNamespaceEventHubResourceId + type: 'KeyBased' + } + } + } + { + name: 'IdentityBasedServiceBusPrimaryEndpoint' + properties: { + endpointType: 'ServiceBus' + authentication: { + type: 'IdentityBased' + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + managedIdentities: { + userAssignedResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + } + } + } + { + name: 'IdentityBasedServiceBusSecondaryEndpoint' + properties: { + endpointType: 'ServiceBus' + authentication: { + type: 'IdentityBased' + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + managedIdentities: { + systemAssigned: true + } + } + } + } + { + name: 'KeyBasedServiceBusEndpoint' + properties: { + authentication: { + type: 'KeyBased' + serviceBusNamespaceTopicAuthorizationRuleName: nestedDependencies.outputs.serviceBusNamespaceTopicAuthorizationRuleName + serviceBusNamespaceTopicResourceId: nestedDependencies.outputs.serviceBusNamespaceTopicResourceId + } + endpointType: 'ServiceBus' + } + } + ] + } + } +] diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..1b34a4ac45 --- /dev/null +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + { + name: 'peTestSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 1) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.digitaltwins.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Virtual Network Subnet.') +output pepTestSubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 21c537ff6d..ad93f106d2 100644 --- a/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/avm/res/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -31,6 +31,15 @@ resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { location: resourceLocation } +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, resourceLocation)}-nestedDependencies' + params: { + location: resourceLocation + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + // Diagnostics // =========== module diagnosticDependencies '../../../../../../../utilities/e2e-template-assets/templates/diagnostic.dependencies.bicep' = { @@ -55,7 +64,6 @@ module testDeployment '../../../main.bicep' = [ scope: resourceGroup name: '${uniqueString(deployment().name, resourceLocation)}-test-${serviceShort}-${iteration}' params: { - location: resourceLocation name: '${namePrefix}${serviceShort}001' diagnosticSettings: [ { @@ -70,9 +78,28 @@ module testDeployment '../../../main.bicep' = [ Environment: 'Non-Prod' Role: 'DeploymentValidation' } + privateEndpoints: [ + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + } + ] + } + subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId + } + { + privateDnsZoneGroup: { + privateDnsZoneGroupConfigs: [ + { + privateDnsZoneResourceId: nestedDependencies.outputs.privateDNSZoneResourceId + } + ] + } + subnetResourceId: nestedDependencies.outputs.pepTestSubnetResourceId + } + ] } - dependsOn: [ - diagnosticDependencies - ] } ] diff --git a/avm/res/digital-twins/digital-twins-instance/version.json b/avm/res/digital-twins/digital-twins-instance/version.json index 7fa401bdf7..1c035df49f 100644 --- a/avm/res/digital-twins/digital-twins-instance/version.json +++ b/avm/res/digital-twins/digital-twins-instance/version.json @@ -1,7 +1,7 @@ { "$schema": "https://aka.ms/bicep-registry-module-version-file-schema#", - "version": "0.1", + "version": "0.2", "pathFilters": [ "./main.json" ] -} +} \ No newline at end of file diff --git a/utilities/pipelines/e2eValidation/resourceDeployment/New-TemplateDeployment.ps1 b/utilities/pipelines/e2eValidation/resourceDeployment/New-TemplateDeployment.ps1 index dfb3e64c94..2a9adce2cc 100644 --- a/utilities/pipelines/e2eValidation/resourceDeployment/New-TemplateDeployment.ps1 +++ b/utilities/pipelines/e2eValidation/resourceDeployment/New-TemplateDeployment.ps1 @@ -428,7 +428,7 @@ function New-TemplateDeployment { [switch] $DoNotThrow, [Parameter(Mandatory = $false)] - [int] $RetryLimit = 3, + [int] $RetryLimit = 1, [Parameter(Mandatory = $false)] [string] $RepoRoot = (Get-Item -Path $PSScriptRoot).parent.parent.parent.parent.FullName