diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 00000000..8aa0cbf5 --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,12 @@ +version: 2 +enable-beta-ecosystems: true +updates: + # Maintain dependencies for GitHub Actions + - package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "weekly" + day: "sunday" + target-branch: "dependabot/github_actions" + labels: + - "github-actions" diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index 9678e53e..ff0b6187 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -15,7 +15,7 @@ jobs: # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it - name: Check Out Repository id: checkout_repository - uses: actions/checkout@v2 + uses: actions/checkout@v3 with: fetch-depth: 0 @@ -29,4 +29,5 @@ jobs: GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} VALIDATE_JSCPD: false VALIDATE_JSON: false + VALIDATE_GITLEAKS: false FILTER_REGEX_EXCLUDE: (/.devcontainer/|/reference/) diff --git a/infra/Policies/PolicyDefinitions/PrivateDnsZoneGroups/params.synapseKusto.json b/infra/Policies/PolicyDefinitions/PrivateDnsZoneGroups/params.synapseKusto.json new file mode 100644 index 00000000..b8184eb4 --- /dev/null +++ b/infra/Policies/PolicyDefinitions/PrivateDnsZoneGroups/params.synapseKusto.json @@ -0,0 +1,197 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "policyName": { + "value": "Deploy-DNSZoneGroup-SynapseKusto-PrivateEndpoint" + }, + "policyDescription": { + "value": "Deploys the configurations of a Private DNS Zone Group by a parameter for Synapse Kusto Private Endpoint. Used to enforce the configuration to a single Private DNS Zone." + }, + "policyMode": { + "value": "Indexed" + }, + "policyParameters": { + "value": { + "privateDnsZoneIdSynapseKusto": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID (Synapse Kusto)", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "privateDnsZoneIdBlob": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID (Blob Storage)", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "privateDnsZoneIdQueue": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID (Queue Storage)", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "privateDnsZoneIdTable": { + "type": "String", + "metadata": { + "displayName": "Private DNS Zone ID (Table Storage)", + "strongType": "Microsoft.Network/privateDnsZones" + } + }, + "effect": { + "type": "String", + "metadata": { + "displayName": "Effect", + "description": "Enable or disable the execution of the policy" + }, + "allowedValues": [ + "DeployIfNotExists", + "Disabled" + ], + "defaultValue": "DeployIfNotExists" + } + } + }, + "policyDefinition": { + "value": { + "if": { + "allOf": [ + { + "field": "type", + "equals": "Microsoft.Network/privateEndpoints" + }, + { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].privateLinkServiceId", + "contains": "Microsoft.Synapse/workspaces" + }, + { + "count": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "where": { + "field": "Microsoft.Network/privateEndpoints/privateLinkServiceConnections[*].groupIds[*]", + "in": [ + "Kusto" + ] + } + }, + "greaterOrEquals": 1 + } + ] + }, + "then": { + "effect": "[parameters('effect')]", + "details": { + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "roleDefinitionIds": [ + "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + ], + "existenceCondition": { + "anyOf": [ + { + "field": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/privateDnsZoneConfigs[*].privateDnsZoneId", + "equals": "[parameters('privateDnsZoneIdSynapseKusto')]" + } + ] + }, + "deployment": { + "properties": { + "mode": "incremental", + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "privateDnsZoneIdSynapseKusto": { + "type": "string" + }, + "privateDnsZoneIdBlob": { + "type": "string" + }, + "privateDnsZoneIdQueue": { + "type": "string" + }, + "privateDnsZoneIdTable": { + "type": "string" + }, + "privateEndpointName": { + "type": "string" + }, + "location": { + "type": "string" + } + }, + "resources": [ + { + "name": "[concat(parameters('privateEndpointName'), '/deployedByPolicy')]", + "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", + "apiVersion": "2020-03-01", + "location": "[parameters('location')]", + "properties": { + "privateDnsZoneConfigs": [ + { + "name": "[concat(parameters('privateEndpointName'), '-synapseKusto-aRecord')]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneIdSynapseKusto')]" + } + }, + { + "name": "[concat(parameters('privateEndpointName'), '-blob-aRecord')]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneIdBlob')]" + } + }, + { + "name": "[concat(parameters('privateEndpointName'), '-queue-aRecord')]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneIdQueue')]" + } + }, + { + "name": "[concat(parameters('privateEndpointName'), '-table-aRecord')]", + "properties": { + "privateDnsZoneId": "[parameters('privateDnsZoneIdTable')]" + } + } + ] + } + } + ] + }, + "parameters": { + "privateDnsZoneIdSynapseKusto": { + "value": "[parameters('privateDnsZoneIdSynapseKusto')]" + }, + "privateDnsZoneIdBlob": { + "value": "[parameters('privateDnsZoneIdBlob')]" + }, + "privateDnsZoneIdQueue": { + "value": "[parameters('privateDnsZoneIdQueue')]" + }, + "privateDnsZoneIdTable": { + "value": "[parameters('privateDnsZoneIdTable')]" + }, + "privateEndpointName": { + "value": "[field('name')]" + }, + "location": { + "value": "[field('location')]" + } + } + } + } + } + } + } + }, + "policyMetadata": { + "value": { + "version": "1.0.0", + "category": "Synapse", + "preview": false, + "deprecated": false + } + } + } +} \ No newline at end of file diff --git a/infra/main.json b/infra/main.json index d41e25cd..8b74ad92 100644 --- a/infra/main.json +++ b/infra/main.json @@ -4,8 +4,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "12904071157118301552" + "version": "0.13.1.58284", + "templateHash": "10931783847955992974" } }, "parameters": { @@ -287,8 +287,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "7004950783398778434" + "version": "0.13.1.58284", + "templateHash": "15665022949774606948" } }, "parameters": { @@ -494,7 +494,7 @@ "properties": { "addressPrefix": "0.0.0.0/0", "nextHopType": "VirtualAppliance", - "nextHopIpAddress": "[if(parameters('enableDnsAndFirewallDeployment'), reference(resourceId('Microsoft.Network/azureFirewalls', format('{0}-firewall', parameters('prefix')))).ipConfigurations[0].properties.privateIPAddress, parameters('firewallPrivateIp'))]" + "nextHopIpAddress": "[if(parameters('enableDnsAndFirewallDeployment'), reference(resourceId('Microsoft.Network/azureFirewalls', format('{0}-firewall', parameters('prefix'))), '2020-11-01').ipConfigurations[0].properties.privateIPAddress, parameters('firewallPrivateIp'))]" }, "dependsOn": [ "[resourceId('Microsoft.Network/azureFirewalls', format('{0}-firewall', parameters('prefix')))]", @@ -605,7 +605,7 @@ "id": "[resourceId('Microsoft.Network/publicIPAddresses', format('{0}-publicip001', parameters('prefix')))]" }, "subnet": { - "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', format('{0}-vnet', parameters('prefix')))).subnets[0].id]" + "id": "[reference(resourceId('Microsoft.Network/virtualNetworks', format('{0}-vnet', parameters('prefix'))), '2020-06-01').subnets[0].id]" } } } @@ -642,8 +642,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "14459821225494404282" + "version": "0.13.1.58284", + "templateHash": "9437950411277849947" } }, "parameters": { @@ -1302,8 +1302,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "14459821225494404282" + "version": "0.13.1.58284", + "templateHash": "9437950411277849947" } }, "parameters": { @@ -1944,11 +1944,11 @@ }, "serviceSubnet": { "type": "string", - "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', format('{0}-vnet', parameters('prefix')))).subnets[1].id]" + "value": "[reference(resourceId('Microsoft.Network/virtualNetworks', format('{0}-vnet', parameters('prefix'))), '2020-06-01').subnets[1].id]" }, "firewallPrivateIp": { "type": "string", - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(resourceId('Microsoft.Network/azureFirewalls', format('{0}-firewall', parameters('prefix')))).ipConfigurations[0].properties.privateIPAddress, parameters('firewallPrivateIp'))]" + "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(resourceId('Microsoft.Network/azureFirewalls', format('{0}-firewall', parameters('prefix'))), '2020-11-01').ipConfigurations[0].properties.privateIPAddress, parameters('firewallPrivateIp'))]" } } } @@ -1982,8 +1982,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "7745049360156901819" + "version": "0.13.1.58284", + "templateHash": "1297000386697392450" } }, "parameters": { @@ -2018,6 +2018,7 @@ "privatelink.eventgrid.azure.net", "[format('privatelink.file.{0}', environment().suffixes.storage)]", "privatelink.gremlin.cosmos.azure.com", + "privatelink.kusto.azuresynapse.net", "privatelink.mariadb.database.azure.com", "privatelink.mongo.cosmos.azure.com", "privatelink.mysql.database.azure.com", @@ -2262,24 +2263,12 @@ "subnetId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-network', variables('name'))), 'Microsoft.Resources/deployments', 'networkServices'), '2020-10-01').outputs.serviceSubnet.value]" }, - "privateDnsZoneIdPurview": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPurview.value, parameters('privateDnsZoneIdPurview'))]" - }, - "privateDnsZoneIdPurviewPortal": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPurviewPortal.value, parameters('privateDnsZoneIdPurviewPortal'))]" - }, - "privateDnsZoneIdStorageBlob": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdBlob.value, parameters('privateDnsZoneIdBlob'))]" - }, - "privateDnsZoneIdStorageQueue": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdQueue.value, parameters('privateDnsZoneIdQueue'))]" - }, - "privateDnsZoneIdEventhubNamespace": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdNamespace.value, parameters('privateDnsZoneIdNamespace'))]" - }, - "privateDnsZoneIdKeyVault": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdKeyVault.value, parameters('privateDnsZoneIdKeyVault'))]" - } + "privateDnsZoneIdPurview": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPurview.value), createObject('value', parameters('privateDnsZoneIdPurview')))]", + "privateDnsZoneIdPurviewPortal": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPurviewPortal.value), createObject('value', parameters('privateDnsZoneIdPurviewPortal')))]", + "privateDnsZoneIdStorageBlob": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdBlob.value), createObject('value', parameters('privateDnsZoneIdBlob')))]", + "privateDnsZoneIdStorageQueue": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdQueue.value), createObject('value', parameters('privateDnsZoneIdQueue')))]", + "privateDnsZoneIdEventhubNamespace": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdNamespace.value), createObject('value', parameters('privateDnsZoneIdNamespace')))]", + "privateDnsZoneIdKeyVault": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdKeyVault.value), createObject('value', parameters('privateDnsZoneIdKeyVault')))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -2287,8 +2276,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "17451550666935843444" + "version": "0.13.1.58284", + "templateHash": "15006489639519450759" } }, "parameters": { @@ -2331,7 +2320,14 @@ }, "variables": { "purview001Name": "[format('{0}-purview001', parameters('prefix'))]", - "keyvault001Name": "[format('{0}-vault001', parameters('prefix'))]" + "keyvault001Name": "[format('{0}-vault001', parameters('prefix'))]", + "eventhubnamespace001Name": "[format('{0}-eventhub001', parameters('prefix'))]", + "eventhubNotificationName": "notification", + "eventhubHookName": "hook", + "eventhubnamespace001EventhubNames": [ + "[variables('eventhubNotificationName')]", + "[variables('eventhubHookName')]" + ] }, "resources": [ { @@ -2356,6 +2352,9 @@ "purviewName": { "value": "[variables('purview001Name')]" }, + "privateDnsZoneIdEventhubNamespace": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001'), '2020-10-01').outputs.eventhubNamespaceId.value]" + }, "privateDnsZoneIdPurview": { "value": "[parameters('privateDnsZoneIdPurview')]" }, @@ -2367,9 +2366,6 @@ }, "privateDnsZoneIdStorageQueue": { "value": "[parameters('privateDnsZoneIdStorageQueue')]" - }, - "privateDnsZoneIdEventhubNamespace": { - "value": "[parameters('privateDnsZoneIdEventhubNamespace')]" } }, "template": { @@ -2378,8 +2374,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "13613768322785013128" + "version": "0.13.1.58284", + "templateHash": "6124665895572370292" } }, "parameters": { @@ -2425,13 +2421,20 @@ "eastus", "eastus2", "francecentral", + "japaneast", + "koreacentral", "northeurope", + "southafricanorth", "southcentralus", "southeastasia", + "switzerlandnorth", + "uaenorth", "uksouth", "westcentralus", "westeurope", - "westus2" + "westus", + "westus2", + "westus3" ] }, "resources": [ @@ -2560,7 +2563,7 @@ "groupIds": [ "blob" ], - "privateLinkServiceId": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName'))).managedResources.storageAccount]", + "privateLinkServiceId": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName')), '2021-07-01').managedResources.storageAccount]", "requestMessage": "" } } @@ -2607,7 +2610,7 @@ "groupIds": [ "queue" ], - "privateLinkServiceId": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName'))).managedResources.storageAccount]", + "privateLinkServiceId": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName')), '2021-07-01').managedResources.storageAccount]", "requestMessage": "" } } @@ -2638,23 +2641,190 @@ "dependsOn": [ "[resourceId('Microsoft.Network/privateEndpoints', variables('purviewPrivateEndpointNameQueue'))]" ] + } + ], + "outputs": { + "purviewId": { + "type": "string", + "value": "[resourceId('Microsoft.Purview/accounts', parameters('purviewName'))]" + }, + "purviewManagedStorageId": { + "type": "string", + "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName')), '2021-07-01').managedResources.storageAccount]" + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "eventhubnamespace001", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "location": { + "value": "[parameters('location')]" + }, + "tags": { + "value": "[parameters('tags')]" + }, + "subnetId": { + "value": "[parameters('subnetId')]" + }, + "eventhubnamespaceName": { + "value": "[variables('eventhubnamespace001Name')]" + }, + "eventhubNames": { + "value": "[variables('eventhubnamespace001EventhubNames')]" + }, + "eventhubnamespaceMinThroughput": { + "value": 1 + }, + "eventhubnamespaceMaxThroughput": { + "value": 1 + }, + "privateDnsZoneIdEventhubNamespace": { + "value": "[parameters('privateDnsZoneIdEventhubNamespace')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.13.1.58284", + "templateHash": "11184303591094618707" + } + }, + "parameters": { + "location": { + "type": "string" + }, + "tags": { + "type": "object" + }, + "subnetId": { + "type": "string" + }, + "eventhubnamespaceName": { + "type": "string" + }, + "eventhubnamespaceMinThroughput": { + "type": "int", + "maxValue": 20, + "minValue": 1 + }, + "eventhubnamespaceMaxThroughput": { + "type": "int", + "maxValue": 20, + "minValue": 1 + }, + "eventhubNames": { + "type": "array", + "defaultValue": [] + }, + "privateDnsZoneIdEventhubNamespace": { + "type": "string", + "defaultValue": "" + } + }, + "variables": { + "eventhubNamespacePrivateEndpointName": "[format('{0}-private-endpoint', parameters('eventhubnamespaceName'))]" + }, + "resources": [ + { + "type": "Microsoft.EventHub/namespaces", + "apiVersion": "2022-01-01-preview", + "name": "[parameters('eventhubnamespaceName')]", + "location": "[parameters('location')]", + "tags": "[parameters('tags')]", + "identity": { + "type": "SystemAssigned" + }, + "sku": { + "name": "Standard", + "tier": "Standard", + "capacity": "[parameters('eventhubnamespaceMinThroughput')]" + }, + "properties": { + "disableLocalAuth": true, + "isAutoInflateEnabled": true, + "kafkaEnabled": true, + "maximumThroughputUnits": "[parameters('eventhubnamespaceMaxThroughput')]", + "zoneRedundant": true + } + }, + { + "type": "Microsoft.EventHub/namespaces/networkRuleSets", + "apiVersion": "2022-01-01-preview", + "name": "[format('{0}/{1}', parameters('eventhubnamespaceName'), 'default')]", + "properties": { + "defaultAction": "Deny", + "ipRules": [], + "virtualNetworkRules": [], + "publicNetworkAccess": "Enabled", + "trustedServiceAccessEnabled": true + }, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubnamespaceName'))]" + ] + }, + { + "copy": { + "name": "eventhubs", + "count": "[length(parameters('eventhubNames'))]" + }, + "type": "Microsoft.EventHub/namespaces/eventhubs", + "apiVersion": "2022-01-01-preview", + "name": "[format('{0}/{1}', parameters('eventhubnamespaceName'), parameters('eventhubNames')[copyIndex()])]", + "properties": { + "captureDescription": { + "enabled": false, + "destination": { + "name": "default", + "properties": { + "archiveNameFormat": "", + "blobContainer": "", + "storageAccountResourceId": "" + } + }, + "encoding": "Avro", + "intervalInSeconds": 900, + "sizeLimitInBytes": 10485760, + "skipEmptyArchives": true + }, + "messageRetentionInDays": 3, + "partitionCount": 1, + "status": "Active" + }, + "dependsOn": [ + "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubnamespaceName'))]" + ] }, { "type": "Microsoft.Network/privateEndpoints", "apiVersion": "2020-11-01", - "name": "[variables('purviewPrivateEndpointNameNamespace')]", + "name": "[variables('eventhubNamespacePrivateEndpointName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", "properties": { "manualPrivateLinkServiceConnections": [], "privateLinkServiceConnections": [ { - "name": "[variables('purviewPrivateEndpointNameNamespace')]", + "name": "[variables('eventhubNamespacePrivateEndpointName')]", "properties": { "groupIds": [ "namespace" ], - "privateLinkServiceId": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName'))).managedResources.eventHubNamespace]", + "privateLinkServiceId": "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubnamespaceName'))]", "requestMessage": "" } } @@ -2664,18 +2834,18 @@ } }, "dependsOn": [ - "[resourceId('Microsoft.Purview/accounts', parameters('purviewName'))]" + "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubnamespaceName'))]" ] }, { "condition": "[not(empty(parameters('privateDnsZoneIdEventhubNamespace')))]", "type": "Microsoft.Network/privateEndpoints/privateDnsZoneGroups", "apiVersion": "2020-11-01", - "name": "[format('{0}/{1}', variables('purviewPrivateEndpointNameNamespace'), 'default')]", + "name": "[format('{0}/{1}', variables('eventhubNamespacePrivateEndpointName'), 'default')]", "properties": { "privateDnsZoneConfigs": [ { - "name": "[format('{0}-arecord', variables('purviewPrivateEndpointNameNamespace'))]", + "name": "[format('{0}-arecord', variables('eventhubNamespacePrivateEndpointName'))]", "properties": { "privateDnsZoneId": "[parameters('privateDnsZoneIdEventhubNamespace')]" } @@ -2683,22 +2853,14 @@ ] }, "dependsOn": [ - "[resourceId('Microsoft.Network/privateEndpoints', variables('purviewPrivateEndpointNameNamespace'))]" + "[resourceId('Microsoft.Network/privateEndpoints', variables('eventhubNamespacePrivateEndpointName'))]" ] } ], "outputs": { - "purviewId": { - "type": "string", - "value": "[resourceId('Microsoft.Purview/accounts', parameters('purviewName'))]" - }, - "purviewManagedStorageId": { + "eventhubNamespaceId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName'))).managedResources.storageAccount]" - }, - "purviewManagedEventHubId": { - "type": "string", - "value": "[reference(resourceId('Microsoft.Purview/accounts', parameters('purviewName'))).managedResources.eventHubNamespace]" + "value": "[resourceId('Microsoft.EventHub/namespaces', parameters('eventhubnamespaceName'))]" } } } @@ -2736,8 +2898,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "12660131753967436973" + "version": "0.13.1.58284", + "templateHash": "373255486735856424" } }, "parameters": { @@ -2764,7 +2926,7 @@ "resources": [ { "type": "Microsoft.KeyVault/vaults", - "apiVersion": "2021-04-01-preview", + "apiVersion": "2022-07-01", "name": "[parameters('keyvaultName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -2783,6 +2945,7 @@ "ipRules": [], "virtualNetworkRules": [] }, + "publicNetworkAccess": "Enabled", "sku": { "family": "A", "name": "standard" @@ -2851,7 +3014,100 @@ { "type": "Microsoft.Resources/deployments", "apiVersion": "2020-10-01", - "name": "purviewKeyVaultRoleAssignment", + "name": "purviewKafkaConfiguration", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "purviewId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'purview001'), '2020-10-01').outputs.purviewId.value]" + }, + "eventhubnamespaceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001'), '2020-10-01').outputs.eventhubNamespaceId.value]" + }, + "eventhubHookName": { + "value": "[variables('eventhubHookName')]" + }, + "eventhubNotificationName": { + "value": "[variables('eventhubNotificationName')]" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.13.1.58284", + "templateHash": "5610001366120048244" + } + }, + "parameters": { + "eventhubnamespaceId": { + "type": "string" + }, + "eventhubNotificationName": { + "type": "string" + }, + "eventhubHookName": { + "type": "string" + }, + "purviewId": { + "type": "string" + } + }, + "variables": { + "eventhubnamespaceSubscriptionId": "[if(greaterOrEquals(length(split(parameters('eventhubnamespaceId'), '/')), 9), split(parameters('eventhubnamespaceId'), '/')[2], subscription().subscriptionId)]", + "eventhubnamespaceResourceGroupName": "[if(greaterOrEquals(length(split(parameters('eventhubnamespaceId'), '/')), 9), split(parameters('eventhubnamespaceId'), '/')[4], resourceGroup().name)]", + "eventhubnamespaceName": "[if(greaterOrEquals(length(split(parameters('eventhubnamespaceId'), '/')), 9), last(split(parameters('eventhubnamespaceId'), '/')), 'incorrectSegmentLength')]", + "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]" + }, + "resources": [ + { + "type": "Microsoft.Purview/accounts/kafkaConfigurations", + "apiVersion": "2021-12-01", + "name": "[format('{0}/{1}', variables('purviewName'), 'notification')]", + "properties": { + "credentials": { + "type": "SystemAssigned" + }, + "eventHubResourceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('eventhubnamespaceSubscriptionId'), variables('eventhubnamespaceResourceGroupName')), 'Microsoft.EventHub/namespaces/eventhubs', variables('eventhubnamespaceName'), parameters('eventhubNotificationName'))]", + "eventHubType": "Notification", + "eventStreamingState": "Enabled", + "eventStreamingType": "Azure" + } + }, + { + "type": "Microsoft.Purview/accounts/kafkaConfigurations", + "apiVersion": "2021-12-01", + "name": "[format('{0}/{1}', variables('purviewName'), 'hook')]", + "properties": { + "credentials": { + "type": "SystemAssigned" + }, + "eventHubResourceId": "[extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('eventhubnamespaceSubscriptionId'), variables('eventhubnamespaceResourceGroupName')), 'Microsoft.EventHub/namespaces/eventhubs', variables('eventhubnamespaceName'), parameters('eventhubHookName'))]", + "eventHubType": "Hook", + "eventStreamingState": "Enabled", + "eventStreamingType": "Azure", + "consumerGroup": "$Default" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001')]", + "[resourceId('Microsoft.Resources/deployments', 'purview001')]", + "[resourceId('Microsoft.Resources/deployments', 'purviewRoleAssignmentEventhubHook')]", + "[resourceId('Microsoft.Resources/deployments', 'purviewRoleAssignmentEventhubNotification')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "purviewRoleAssignmentKeyVault", "properties": { "expressionEvaluationOptions": { "scope": "inner" @@ -2863,6 +3119,9 @@ }, "keyVaultId": { "value": "[reference(resourceId('Microsoft.Resources/deployments', 'keyVault001'), '2020-10-01').outputs.keyvaultId.value]" + }, + "role": { + "value": "KeyVaultSecretsUser" } }, "template": { @@ -2871,8 +3130,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "11291074661216838287" + "version": "0.13.1.58284", + "templateHash": "5796602811982184644" } }, "parameters": { @@ -2881,13 +3140,22 @@ }, "keyVaultId": { "type": "string" + }, + "role": { + "type": "string", + "allowedValues": [ + "KeyVaultSecretsUser" + ] } }, "variables": { "keyVaultName": "[if(greaterOrEquals(length(split(parameters('keyVaultId'), '/')), 9), last(split(parameters('keyVaultId'), '/')), 'incorrectSegmentLength')]", "purviewSubscriptionId": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[2], subscription().subscriptionId)]", "purviewResourceGroupName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[4], resourceGroup().name)]", - "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]" + "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]", + "roles": { + "KeyVaultSecretsUser": "4633458b-17de-408a-b874-0445c86b69e6" + } }, "resources": [ { @@ -2896,7 +3164,7 @@ "scope": "[format('Microsoft.KeyVault/vaults/{0}', variables('keyVaultName'))]", "name": "[guid(uniqueString(resourceId('Microsoft.KeyVault/vaults', variables('keyVaultName')), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName'))))]", "properties": { - "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6')]", + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roles')[parameters('role')])]", "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName')), '2020-12-01-preview', 'full').identity.principalId]", "principalType": "ServicePrincipal" } @@ -2908,6 +3176,168 @@ "[resourceId('Microsoft.Resources/deployments', 'keyVault001')]", "[resourceId('Microsoft.Resources/deployments', 'purview001')]" ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "purviewRoleAssignmentEventhubNotification", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "purviewId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'purview001'), '2020-10-01').outputs.purviewId.value]" + }, + "eventhubnamespaceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001'), '2020-10-01').outputs.eventhubNamespaceId.value]" + }, + "eventhubName": { + "value": "[variables('eventhubNotificationName')]" + }, + "role": { + "value": "AzureEventHubsDataSender" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.13.1.58284", + "templateHash": "11880650922445855442" + } + }, + "parameters": { + "eventhubnamespaceId": { + "type": "string" + }, + "eventhubName": { + "type": "string" + }, + "purviewId": { + "type": "string" + }, + "role": { + "type": "string", + "allowedValues": [ + "AzureEventHubsDataReceiver", + "AzureEventHubsDataSender" + ] + } + }, + "variables": { + "eventhubnamespaceName": "[if(greaterOrEquals(length(split(parameters('eventhubnamespaceId'), '/')), 9), last(split(parameters('eventhubnamespaceId'), '/')), 'incorrectSegmentLength')]", + "purviewSubscriptionId": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[2], subscription().subscriptionId)]", + "purviewResourceGroupName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[4], resourceGroup().name)]", + "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]", + "roles": { + "AzureEventHubsDataReceiver": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "AzureEventHubsDataSender": "2b629674-e913-4c01-ae53-ef4638d8f975" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', variables('eventhubnamespaceName'), parameters('eventhubName'))]", + "name": "[guid(uniqueString(resourceId('Microsoft.EventHub/namespaces/eventhubs', variables('eventhubnamespaceName'), parameters('eventhubName')), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName'))))]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roles')[parameters('role')])]", + "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName')), '2020-12-01-preview', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001')]", + "[resourceId('Microsoft.Resources/deployments', 'purview001')]" + ] + }, + { + "type": "Microsoft.Resources/deployments", + "apiVersion": "2020-10-01", + "name": "purviewRoleAssignmentEventhubHook", + "properties": { + "expressionEvaluationOptions": { + "scope": "inner" + }, + "mode": "Incremental", + "parameters": { + "purviewId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'purview001'), '2020-10-01').outputs.purviewId.value]" + }, + "eventhubnamespaceId": { + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001'), '2020-10-01').outputs.eventhubNamespaceId.value]" + }, + "eventhubName": { + "value": "[variables('eventhubHookName')]" + }, + "role": { + "value": "AzureEventHubsDataReceiver" + } + }, + "template": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "_generator": { + "name": "bicep", + "version": "0.13.1.58284", + "templateHash": "11880650922445855442" + } + }, + "parameters": { + "eventhubnamespaceId": { + "type": "string" + }, + "eventhubName": { + "type": "string" + }, + "purviewId": { + "type": "string" + }, + "role": { + "type": "string", + "allowedValues": [ + "AzureEventHubsDataReceiver", + "AzureEventHubsDataSender" + ] + } + }, + "variables": { + "eventhubnamespaceName": "[if(greaterOrEquals(length(split(parameters('eventhubnamespaceId'), '/')), 9), last(split(parameters('eventhubnamespaceId'), '/')), 'incorrectSegmentLength')]", + "purviewSubscriptionId": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[2], subscription().subscriptionId)]", + "purviewResourceGroupName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), split(parameters('purviewId'), '/')[4], resourceGroup().name)]", + "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]", + "roles": { + "AzureEventHubsDataReceiver": "a638d3c7-ab3a-418d-83e6-5f17a39d4fde", + "AzureEventHubsDataSender": "2b629674-e913-4c01-ae53-ef4638d8f975" + } + }, + "resources": [ + { + "type": "Microsoft.Authorization/roleAssignments", + "apiVersion": "2022-04-01", + "scope": "[format('Microsoft.EventHub/namespaces/{0}/eventhubs/{1}', variables('eventhubnamespaceName'), parameters('eventhubName'))]", + "name": "[guid(uniqueString(resourceId('Microsoft.EventHub/namespaces/eventhubs', variables('eventhubnamespaceName'), parameters('eventhubName')), extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName'))))]", + "properties": { + "roleDefinitionId": "[resourceId('Microsoft.Authorization/roleDefinitions', variables('roles')[parameters('role')])]", + "principalId": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', variables('purviewSubscriptionId'), variables('purviewResourceGroupName')), 'Microsoft.Purview/accounts', variables('purviewName')), '2020-12-01-preview', 'full').identity.principalId]", + "principalType": "ServicePrincipal" + } + } + ] + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001')]", + "[resourceId('Microsoft.Resources/deployments', 'purview001')]" + ] } ], "outputs": { @@ -2921,7 +3351,7 @@ }, "purviewManagedEventHubId": { "type": "string", - "value": "[reference(resourceId('Microsoft.Resources/deployments', 'purview001'), '2020-10-01').outputs.purviewManagedEventHubId.value]" + "value": "[reference(resourceId('Microsoft.Resources/deployments', 'eventhubnamespace001'), '2020-10-01').outputs.eventhubNamespaceId.value]" } } } @@ -2955,9 +3385,7 @@ "subnetId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-network', variables('name'))), 'Microsoft.Resources/deployments', 'networkServices'), '2020-10-01').outputs.serviceSubnet.value]" }, - "privateDnsZoneIdContainerRegistry": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdContainerRegistry.value, parameters('privateDnsZoneIdContainerRegistry'))]" - } + "privateDnsZoneIdContainerRegistry": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdContainerRegistry.value), createObject('value', parameters('privateDnsZoneIdContainerRegistry')))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -2965,8 +3393,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "405891751471543400" + "version": "0.13.1.58284", + "templateHash": "11420617460349724342" } }, "parameters": { @@ -3023,8 +3451,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "10570330895745200307" + "version": "0.13.1.58284", + "templateHash": "7061681707222167568" } }, "parameters": { @@ -3052,7 +3480,7 @@ "resources": [ { "type": "Microsoft.ContainerRegistry/registries", - "apiVersion": "2020-11-01-preview", + "apiVersion": "2022-02-01-preview", "name": "[variables('containerRegistryNameCleaned')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]", @@ -3073,6 +3501,12 @@ "virtualNetworkRules": [] }, "policies": { + "azureADAuthenticationAsArmPolicy": { + "status": "enabled" + }, + "exportPolicy": { + "status": "enabled" + }, "quarantinePolicy": { "status": "enabled" }, @@ -3080,6 +3514,10 @@ "status": "enabled", "days": 7 }, + "softDeletePolicy": { + "status": "disabled", + "retentionDays": 7 + }, "trustPolicy": { "status": "disabled", "type": "Notary" @@ -3171,18 +3609,10 @@ "subnetId": { "value": "[reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-network', variables('name'))), 'Microsoft.Resources/deployments', 'networkServices'), '2020-10-01').outputs.serviceSubnet.value]" }, - "privateDnsZoneIdSynapseprivatelinkhub": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdSynapse.value, parameters('privateDnsZoneIdSynapse'))]" - }, - "privateDnsZoneIdAnalysis": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdAnalysis.value, '')]" - }, - "privateDnsZoneIdPbiDedicated": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPbiDedicated.value, '')]" - }, - "privateDnsZoneIdPowerQuery": { - "value": "[if(parameters('enableDnsAndFirewallDeployment'), reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPowerQuery.value, '')]" - } + "privateDnsZoneIdSynapseprivatelinkhub": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdSynapse.value), createObject('value', parameters('privateDnsZoneIdSynapse')))]", + "privateDnsZoneIdAnalysis": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdAnalysis.value), createObject('value', ''))]", + "privateDnsZoneIdPbiDedicated": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPbiDedicated.value), createObject('value', ''))]", + "privateDnsZoneIdPowerQuery": "[if(parameters('enableDnsAndFirewallDeployment'), createObject('value', reference(extensionResourceId(format('/subscriptions/{0}/resourceGroups/{1}', subscription().subscriptionId, format('{0}-global-dns', variables('name'))), 'Microsoft.Resources/deployments', 'globalDnsZones'), '2020-10-01').outputs.privateDnsZoneIdPowerQuery.value), createObject('value', ''))]" }, "template": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", @@ -3190,8 +3620,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "14201920356500171973" + "version": "0.13.1.58284", + "templateHash": "11563909519108326296" } }, "parameters": { @@ -3261,8 +3691,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "16240531194403531210" + "version": "0.13.1.58284", + "templateHash": "14299437496902087822" } }, "parameters": { @@ -3286,35 +3716,37 @@ "synapsePrivatelinkHubNameCleaned": "[replace(parameters('synapsePrivatelinkHubName'), '-', '')]", "synapsePrivatelinkHubPrivateEndpointName": "[format('{0}-private-endpoint', variables('synapsePrivatelinkHubNameCleaned'))]", "synapsePrivatelinkHubRegions": [ - "westus2", - "eastus", - "northeurope", - "westeurope", - "southeastasia", "australiaeast", - "westcentralus", - "southcentralus", - "eastus2", - "uksouth", - "westus", "australiasoutheast", - "eastasia", "brazilsouth", - "centralus", - "centralindia", - "japaneast", - "northcentralus", "canadacentral", "canadaeast", - "koreacentral", - "southafricanorth", - "ukwest", - "japanwest", + "centralindia", + "centralus", + "eastasia", + "eastus", + "eastus2", "francecentral", - "switzerlandnorth", "germanywestcentral", + "japaneast", + "japanwest", + "koreacentral", + "northcentralus", + "northeurope", "norwayeast", + "quatarcentral", + "southafricanorth", + "southcentralus", + "southindia", + "southeastasia", + "switzerlandnorth", "uaenorth", + "uksouth", + "ukwest", + "westcentralus", + "westeurope", + "westus", + "westus2", "westus3", "jioindiawest" ] @@ -3322,7 +3754,7 @@ "resources": [ { "type": "Microsoft.Synapse/privateLinkHubs", - "apiVersion": "2021-03-01", + "apiVersion": "2021-06-01", "name": "[variables('synapsePrivatelinkHubNameCleaned')]", "location": "[if(contains(variables('synapsePrivatelinkHubRegions'), parameters('location')), parameters('location'), 'northeurope')]", "tags": "[parameters('tags')]", @@ -3421,8 +3853,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "18084870413505134204" + "version": "0.13.1.58284", + "templateHash": "104920521759905055" } }, "parameters": { @@ -3475,8 +3907,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "1773924684182957173" + "version": "0.13.1.58284", + "templateHash": "5078395867383769845" } }, "parameters": { @@ -3493,7 +3925,7 @@ "resources": [ { "type": "Microsoft.ManagedIdentity/userAssignedIdentities", - "apiVersion": "2018-11-30", + "apiVersion": "2022-01-31-preview", "name": "[parameters('userAssignedIdentityName')]", "location": "[parameters('location')]", "tags": "[parameters('tags')]" @@ -3530,8 +3962,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "15089794917938446955" + "version": "0.13.1.58284", + "templateHash": "6545478069686843090" } }, "parameters": { @@ -3594,8 +4026,8 @@ "metadata": { "_generator": { "name": "bicep", - "version": "0.4.1124.51302", - "templateHash": "7632760840318778244" + "version": "0.13.1.58284", + "templateHash": "1984282279033984571" } }, "parameters": { @@ -3620,6 +4052,7 @@ } }, "variables": { + "$fxv#0": "# Copyright (c) Microsoft Corporation.\r\n# Licensed under the MIT license.\r\n\r\n# Define script arguments\r\n[CmdletBinding()]\r\nparam (\r\n [Parameter(Mandatory = $true)]\r\n [ValidateNotNullOrEmpty()]\r\n [string]\r\n $PurviewId,\r\n\r\n [Parameter(Mandatory = $false)]\r\n [string[]]\r\n $PurviewRootCollectionAdmins = @(),\r\n\r\n [Parameter(Mandatory=$false)]\r\n [Switch]\r\n $SetPurviewAccountAsDefault\r\n)\r\n\r\n# Install Required Module\r\nWrite-Output \"Installing Required Module\"\r\nSet-PSRepository `\r\n -Name PSGallery `\r\n -InstallationPolicy Trusted\r\nInstall-Module `\r\n -Name Az.Purview `\r\n -Repository PSGallery `\r\n -Force\r\n\r\n# Define Parameters\r\nWrite-Output \"Defining Parameters\"\r\n$tenantId = (Get-AzContext).Tenant.Id\r\n$purviewSubscriptionId = $PurviewId.Split(\"/\")[2]\r\n$purviewResourceGroupName = $PurviewId.Split(\"/\")[4]\r\n$purviewAccountName = $PurviewId.Split(\"/\")[8]\r\n\r\nif ($SetPurviewAccountAsDefault) {\r\n # Set Purview Account as Default in Tenant\r\n Write-Output \"Setting Purview Account as Default in Tenant\"\r\n Set-AzPurviewDefaultAccount `\r\n -ScopeTenantId $tenantId `\r\n -ScopeType \"Tenant\" `\r\n -Scope $tenantId `\r\n -SubscriptionId $purviewSubscriptionId `\r\n -ResourceGroupName $purviewResourceGroupName `\r\n -AccountName $purviewAccountName\r\n} else {\r\n # NOT Set Purview Account as Default in Tenant\r\n Write-Output \"NOT Setting Purview Account as Default in Tenant\"\r\n}\r\n\r\nforeach ($purviewRootCollectionAdmin in $PurviewRootCollectionAdmins) {\r\n # Set Purview Root Collection Admin\r\n Write-Output \"Setting Purview Root Collection Admin '${purviewRootCollectionAdmin}'\"\r\n Add-AzPurviewAccountRootCollectionAdmin `\r\n -SubscriptionId $purviewSubscriptionId `\r\n -ResourceGroupName $purviewResourceGroupName `\r\n -AccountName $purviewAccountName `\r\n -ObjectId $purviewRootCollectionAdmin\r\n}\r\n", "purviewName": "[if(greaterOrEquals(length(split(parameters('purviewId'), '/')), 9), last(split(parameters('purviewId'), '/')), 'incorrectSegmentLength')]", "purviewSetupName": "[format('{0}-setup', variables('purviewName'))]", "purviewRootCollectionAdminsInput": "[replace(replace(string(parameters('purviewRootCollectionAdminObjectIds')), '[', ''), ']', '')]" @@ -3648,7 +4081,7 @@ }, "environmentVariables": [], "forceUpdateTag": "[parameters('forceUpdateTag')]", - "scriptContent": "# Copyright (c) Microsoft Corporation.\r\n# Licensed under the MIT license.\r\n\r\n# Define script arguments\r\n[CmdletBinding()]\r\nparam (\r\n [Parameter(Mandatory = $true)]\r\n [ValidateNotNullOrEmpty()]\r\n [string]\r\n $PurviewId,\r\n\r\n [Parameter(Mandatory = $false)]\r\n [string[]]\r\n $PurviewRootCollectionAdmins = @(),\r\n\r\n [Parameter(Mandatory=$false)]\r\n [Switch]\r\n $SetPurviewAccountAsDefault\r\n)\r\n\r\n# Install Required Module\r\nWrite-Output \"Installing Required Module\"\r\nSet-PSRepository `\r\n -Name PSGallery `\r\n -InstallationPolicy Trusted\r\nInstall-Module `\r\n -Name Az.Purview `\r\n -Repository PSGallery `\r\n -Force\r\n\r\n# Define Parameters\r\nWrite-Output \"Defining Parameters\"\r\n$tenantId = (Get-AzContext).Tenant.Id\r\n$purviewSubscriptionId = $PurviewId.Split(\"/\")[2]\r\n$purviewResourceGroupName = $PurviewId.Split(\"/\")[4]\r\n$purviewAccountName = $PurviewId.Split(\"/\")[8]\r\n\r\nif ($SetPurviewAccountAsDefault) {\r\n # Set Purview Account as Default in Tenant\r\n Write-Output \"Setting Purview Account as Default in Tenant\"\r\n Set-AzPurviewDefaultAccount `\r\n -ScopeTenantId $tenantId `\r\n -ScopeType \"Tenant\" `\r\n -Scope $tenantId `\r\n -SubscriptionId $purviewSubscriptionId `\r\n -ResourceGroupName $purviewResourceGroupName `\r\n -AccountName $purviewAccountName\r\n} else {\r\n # NOT Set Purview Account as Default in Tenant\r\n Write-Output \"NOT Setting Purview Account as Default in Tenant\"\r\n}\r\n\r\nforeach ($purviewRootCollectionAdmin in $PurviewRootCollectionAdmins) {\r\n # Set Purview Root Collection Admin\r\n Write-Output \"Setting Purview Root Collection Admin '${purviewRootCollectionAdmin}'\"\r\n Add-AzPurviewAccountRootCollectionAdmin `\r\n -SubscriptionId $purviewSubscriptionId `\r\n -ResourceGroupName $purviewResourceGroupName `\r\n -AccountName $purviewAccountName `\r\n -ObjectId $purviewRootCollectionAdmin\r\n}\r\n", + "scriptContent": "[variables('$fxv#0')]", "retentionInterval": "P1D", "supportingScriptUris": [], "timeout": "PT30M" diff --git a/infra/modules/auxiliary/purviewKafkaConfiguration.bicep b/infra/modules/auxiliary/purviewKafkaConfiguration.bicep new file mode 100644 index 00000000..47d8ceb8 --- /dev/null +++ b/infra/modules/auxiliary/purviewKafkaConfiguration.bicep @@ -0,0 +1,68 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. + +// The module contains a template to create Purview Kafka configurations. +targetScope = 'resourceGroup' + +// Parameters +param eventhubnamespaceId string +param eventhubNotificationName string +param eventhubHookName string +param purviewId string + +// Variables +var eventhubnamespaceSubscriptionId = length(split(eventhubnamespaceId, '/')) >= 9 ? split(eventhubnamespaceId, '/')[2] : subscription().subscriptionId +var eventhubnamespaceResourceGroupName = length(split(eventhubnamespaceId, '/')) >= 9 ? split(eventhubnamespaceId, '/')[4] : resourceGroup().name +var eventhubnamespaceName = length(split(eventhubnamespaceId, '/')) >= 9 ? last(split(eventhubnamespaceId, '/')) : 'incorrectSegmentLength' +var purviewName = length(split(purviewId, '/')) >= 9 ? last(split(purviewId, '/')) : 'incorrectSegmentLength' + +// Resources +resource eventhubnamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { + name: eventhubnamespaceName + scope: resourceGroup(eventhubnamespaceSubscriptionId, eventhubnamespaceResourceGroupName) +} + +resource eventhubNotification 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' existing = { + parent: eventhubnamespace + name: eventhubNotificationName +} + +resource eventhubHook 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' existing = { + parent: eventhubnamespace + name: eventhubHookName +} + +resource purview 'Microsoft.Purview/accounts@2021-07-01' existing = { + name: purviewName +} + +resource purviewKafkaConfigurationNotification 'Microsoft.Purview/accounts/kafkaConfigurations@2021-12-01' = { + parent: purview + name: 'notification' + properties: { + credentials: { + type: 'SystemAssigned' + } + eventHubResourceId: eventhubNotification.id + eventHubType: 'Notification' + eventStreamingState: 'Enabled' + eventStreamingType: 'Azure' + } +} + +resource purviewKafkaConfigurationHook 'Microsoft.Purview/accounts/kafkaConfigurations@2021-12-01' = { + parent: purview + name: 'hook' + properties: { + credentials: { + type: 'SystemAssigned' + } + eventHubResourceId: eventhubHook.id + eventHubType: 'Hook' + eventStreamingState: 'Enabled' + eventStreamingType: 'Azure' + consumerGroup: '$Default' + } +} + +// Outputs diff --git a/infra/modules/auxiliary/purviewRoleAssignmentEventHub.bicep b/infra/modules/auxiliary/purviewRoleAssignmentEventHub.bicep new file mode 100644 index 00000000..bde54792 --- /dev/null +++ b/infra/modules/auxiliary/purviewRoleAssignmentEventHub.bicep @@ -0,0 +1,52 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. + +// The module contains a template to create a role assignment from Purview to an EventHub. +targetScope = 'resourceGroup' + +// Parameters +param eventhubnamespaceId string +param eventhubName string +param purviewId string +@allowed([ + 'AzureEventHubsDataReceiver' + 'AzureEventHubsDataSender' +]) +param role string + +// Variables +var eventhubnamespaceName = length(split(eventhubnamespaceId, '/')) >= 9 ? last(split(eventhubnamespaceId, '/')) : 'incorrectSegmentLength' +var purviewSubscriptionId = length(split(purviewId, '/')) >= 9 ? split(purviewId, '/')[2] : subscription().subscriptionId +var purviewResourceGroupName = length(split(purviewId, '/')) >= 9 ? split(purviewId, '/')[4] : resourceGroup().name +var purviewName = length(split(purviewId, '/')) >= 9 ? last(split(purviewId, '/')) : 'incorrectSegmentLength' +var roles = { + AzureEventHubsDataReceiver: 'a638d3c7-ab3a-418d-83e6-5f17a39d4fde' + AzureEventHubsDataSender: '2b629674-e913-4c01-ae53-ef4638d8f975' +} + +// Resources +resource eventhubnamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' existing = { + name: eventhubnamespaceName +} + +resource eventhub 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' existing = { + parent: eventhubnamespace + name: eventhubName +} + +resource purview 'Microsoft.Purview/accounts@2020-12-01-preview' existing = { + name: purviewName + scope: resourceGroup(purviewSubscriptionId, purviewResourceGroupName) +} + +resource purviewRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(uniqueString(eventhub.id, purview.id)) + scope: eventhub + properties: { + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roles[role]) + principalId: purview.identity.principalId + principalType: 'ServicePrincipal' + } +} + +// Outputs diff --git a/infra/modules/auxiliary/purviewRoleAssignmentKeyVault.bicep b/infra/modules/auxiliary/purviewRoleAssignmentKeyVault.bicep index 80a43fad..e99b1e47 100644 --- a/infra/modules/auxiliary/purviewRoleAssignmentKeyVault.bicep +++ b/infra/modules/auxiliary/purviewRoleAssignmentKeyVault.bicep @@ -7,12 +7,19 @@ targetScope = 'resourceGroup' // Parameters param purviewId string param keyVaultId string +@allowed([ + 'KeyVaultSecretsUser' +]) +param role string // Variables var keyVaultName = length(split(keyVaultId, '/')) >= 9 ? last(split(keyVaultId, '/')) : 'incorrectSegmentLength' var purviewSubscriptionId = length(split(purviewId, '/')) >= 9 ? split(purviewId, '/')[2] : subscription().subscriptionId var purviewResourceGroupName = length(split(purviewId, '/')) >= 9 ? split(purviewId, '/')[4] : resourceGroup().name var purviewName = length(split(purviewId, '/')) >= 9 ? last(split(purviewId, '/')) : 'incorrectSegmentLength' +var roles = { + KeyVaultSecretsUser: '4633458b-17de-408a-b874-0445c86b69e6' +} // Resources resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' existing = { @@ -28,7 +35,7 @@ resource purviewRoleAssignment 'Microsoft.Authorization/roleAssignments@2020-04- name: guid(uniqueString(keyVault.id, purview.id)) scope: keyVault properties: { - roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', '4633458b-17de-408a-b874-0445c86b69e6') + roleDefinitionId: resourceId('Microsoft.Authorization/roleDefinitions', roles[role]) principalId: purview.identity.principalId principalType: 'ServicePrincipal' } diff --git a/infra/modules/governance.bicep b/infra/modules/governance.bicep index 8f11e912..4945c649 100644 --- a/infra/modules/governance.bicep +++ b/infra/modules/governance.bicep @@ -20,6 +20,13 @@ param privateDnsZoneIdKeyVault string = '' // Variables var purview001Name = '${prefix}-purview001' var keyvault001Name = '${prefix}-vault001' +var eventhubnamespace001Name = '${prefix}-eventhub001' +var eventhubNotificationName = 'notification' +var eventhubHookName = 'hook' +var eventhubnamespace001EventhubNames = [ + eventhubNotificationName + eventhubHookName +] // Resources module purview001 'services/purview.bicep' = { @@ -30,10 +37,25 @@ module purview001 'services/purview.bicep' = { tags: tags subnetId: subnetId purviewName: purview001Name + privateDnsZoneIdEventhubNamespace: eventhubnamespace001.outputs.eventhubNamespaceId privateDnsZoneIdPurview: privateDnsZoneIdPurview privateDnsZoneIdPurviewPortal: privateDnsZoneIdPurviewPortal privateDnsZoneIdStorageBlob: privateDnsZoneIdStorageBlob privateDnsZoneIdStorageQueue: privateDnsZoneIdStorageQueue + } +} + +module eventhubnamespace001 'services/eventhubnamespace.bicep' = { + name: 'eventhubnamespace001' + scope: resourceGroup() + params: { + location: location + tags: tags + subnetId: subnetId + eventhubnamespaceName: eventhubnamespace001Name + eventhubNames: eventhubnamespace001EventhubNames + eventhubnamespaceMinThroughput: 1 + eventhubnamespaceMaxThroughput: 1 privateDnsZoneIdEventhubNamespace: privateDnsZoneIdEventhubNamespace } } @@ -50,16 +72,53 @@ module keyVault001 'services/keyvault.bicep' = { } } -module purviewKeyVaultRoleAssignment 'auxiliary/purviewRoleAssignmentKeyVault.bicep' = { - name: 'purviewKeyVaultRoleAssignment' +module purviewKafkaConfiguration 'auxiliary/purviewKafkaConfiguration.bicep' = { + name: 'purviewKafkaConfiguration' + dependsOn: [ + purviewRoleAssignmentEventhubHook + purviewRoleAssignmentEventhubNotification + ] + params: { + purviewId: purview001.outputs.purviewId + eventhubnamespaceId: eventhubnamespace001.outputs.eventhubNamespaceId + eventhubHookName: eventhubHookName + eventhubNotificationName: eventhubNotificationName + } +} + +module purviewRoleAssignmentKeyVault 'auxiliary/purviewRoleAssignmentKeyVault.bicep' = { + name: 'purviewRoleAssignmentKeyVault' scope: resourceGroup() params: { purviewId: purview001.outputs.purviewId keyVaultId: keyVault001.outputs.keyvaultId + role: 'KeyVaultSecretsUser' + } +} + +module purviewRoleAssignmentEventhubNotification 'auxiliary/purviewRoleAssignmentEventHub.bicep' = { + name: 'purviewRoleAssignmentEventhubNotification' + scope: resourceGroup() + params: { + purviewId: purview001.outputs.purviewId + eventhubnamespaceId: eventhubnamespace001.outputs.eventhubNamespaceId + eventhubName: eventhubNotificationName + role: 'AzureEventHubsDataSender' + } +} + +module purviewRoleAssignmentEventhubHook 'auxiliary/purviewRoleAssignmentEventHub.bicep' = { + name: 'purviewRoleAssignmentEventhubHook' + scope: resourceGroup() + params: { + purviewId: purview001.outputs.purviewId + eventhubnamespaceId: eventhubnamespace001.outputs.eventhubNamespaceId + eventhubName: eventhubHookName + role: 'AzureEventHubsDataReceiver' } } // Outputs output purviewId string = purview001.outputs.purviewId output purviewManagedStorageId string = purview001.outputs.purviewManagedStorageId -output purviewManagedEventHubId string = purview001.outputs.purviewManagedEventHubId +output purviewManagedEventHubId string = eventhubnamespace001.outputs.eventhubNamespaceId diff --git a/infra/modules/services/containerregistry.bicep b/infra/modules/services/containerregistry.bicep index e951b934..2ef63f83 100644 --- a/infra/modules/services/containerregistry.bicep +++ b/infra/modules/services/containerregistry.bicep @@ -16,7 +16,7 @@ var containerRegistryNameCleaned = replace(containerRegistryName, '-', '') var containerRegistryPrivateEndpointName = '${containerRegistry.name}-private-endpoint' // Resources -resource containerRegistry 'Microsoft.ContainerRegistry/registries@2020-11-01-preview' = { +resource containerRegistry 'Microsoft.ContainerRegistry/registries@2022-02-01-preview' = { name: containerRegistryNameCleaned location: location tags: tags @@ -37,6 +37,12 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2020-11-01-pr virtualNetworkRules: [] } policies: { + azureADAuthenticationAsArmPolicy: { + status: 'enabled' + } + exportPolicy: { + status: 'enabled' + } quarantinePolicy: { status: 'enabled' } @@ -44,6 +50,10 @@ resource containerRegistry 'Microsoft.ContainerRegistry/registries@2020-11-01-pr status: 'enabled' days: 7 } + softDeletePolicy: { + status: 'disabled' + retentionDays: 7 + } trustPolicy: { status: 'disabled' type: 'Notary' diff --git a/infra/modules/services/eventhubnamespace.bicep b/infra/modules/services/eventhubnamespace.bicep new file mode 100644 index 00000000..e92a3f0d --- /dev/null +++ b/infra/modules/services/eventhubnamespace.bicep @@ -0,0 +1,123 @@ +// Copyright (c) Microsoft Corporation. +// Licensed under the MIT license. + +// This template is used to create an EventHub Namespace. +targetScope = 'resourceGroup' + +// Parameters +param location string +param tags object +param subnetId string +param eventhubnamespaceName string +@minValue(1) +@maxValue(20) +param eventhubnamespaceMinThroughput int +@minValue(1) +@maxValue(20) +param eventhubnamespaceMaxThroughput int +param eventhubNames array = [] +param privateDnsZoneIdEventhubNamespace string = '' + +// Variables +var eventhubNamespacePrivateEndpointName = '${eventhubNamespace.name}-private-endpoint' + +// Resources +resource eventhubNamespace 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { + name: eventhubnamespaceName + location: location + tags: tags + identity: { + type: 'SystemAssigned' + } + sku: { + name: 'Standard' + tier: 'Standard' + capacity: eventhubnamespaceMinThroughput + } + properties: { + disableLocalAuth: true + isAutoInflateEnabled: true + kafkaEnabled: true + maximumThroughputUnits: eventhubnamespaceMaxThroughput + zoneRedundant: true + } +} + +resource eventhubNamespaceNetworkRuleSets 'Microsoft.EventHub/namespaces/networkRuleSets@2021-06-01-preview' = { + name: 'default' + parent: eventhubNamespace + properties: { + defaultAction: 'Deny' + ipRules: [] + virtualNetworkRules: [] + publicNetworkAccess: 'Enabled' + trustedServiceAccessEnabled: true + } +} + +resource eventhubs 'Microsoft.EventHub/namespaces/eventhubs@2022-01-01-preview' = [for item in eventhubNames: { + parent: eventhubNamespace + name: item + properties: { + captureDescription: { + enabled: false + destination: { + name: 'default' + properties: { + archiveNameFormat: '' + blobContainer: '' + storageAccountResourceId: '' + } + } + encoding: 'Avro' + intervalInSeconds: 900 + sizeLimitInBytes: 10485760 + skipEmptyArchives: true + } + messageRetentionInDays: 3 + partitionCount: 1 + status: 'Active' + } +}] + +resource eventhubNamespacePrivateEndpoint 'Microsoft.Network/privateEndpoints@2020-11-01' = { + name: eventhubNamespacePrivateEndpointName + location: location + tags: tags + properties: { + manualPrivateLinkServiceConnections: [] + privateLinkServiceConnections: [ + { + name: eventhubNamespacePrivateEndpointName + properties: { + groupIds: [ + 'namespace' + ] + privateLinkServiceId: eventhubNamespace.id + requestMessage: '' + } + } + ] + subnet: { + id: subnetId + } + } +} + +resource eventhubNamespacePrivateEndpointARecord 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-11-01' = if (!empty(privateDnsZoneIdEventhubNamespace)) { + parent: eventhubNamespacePrivateEndpoint + name: 'default' + properties: { + privateDnsZoneConfigs: [ + { + name: '${eventhubNamespacePrivateEndpoint.name}-arecord' + properties: { + privateDnsZoneId: privateDnsZoneIdEventhubNamespace + } + } + ] + } +} + +// Outputs +output eventhubNamespaceId string = eventhubNamespace.id diff --git a/infra/modules/services/keyvault.bicep b/infra/modules/services/keyvault.bicep index 0b60ed95..1073044c 100644 --- a/infra/modules/services/keyvault.bicep +++ b/infra/modules/services/keyvault.bicep @@ -15,7 +15,7 @@ param privateDnsZoneIdKeyVault string = '' var keyVaultPrivateEndpointName = '${keyVault.name}-private-endpoint' // Resources -resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' = { +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { name: keyvaultName location: location tags: tags @@ -34,6 +34,7 @@ resource keyVault 'Microsoft.KeyVault/vaults@2021-04-01-preview' = { ipRules: [] virtualNetworkRules: [] } + publicNetworkAccess: 'Enabled' sku: { family: 'A' name: 'standard' diff --git a/infra/modules/services/privatednszones.bicep b/infra/modules/services/privatednszones.bicep index cd622212..257d48a5 100644 --- a/infra/modules/services/privatednszones.bicep +++ b/infra/modules/services/privatednszones.bicep @@ -32,6 +32,7 @@ var privateDnsZoneNames = [ 'privatelink.eventgrid.azure.net' 'privatelink.file.${environment().suffixes.storage}' 'privatelink.gremlin.cosmos.azure.com' + 'privatelink.kusto.azuresynapse.net' 'privatelink.mariadb.database.azure.com' 'privatelink.mongo.cosmos.azure.com' 'privatelink.mysql.database.azure.com' diff --git a/infra/modules/services/purview.bicep b/infra/modules/services/purview.bicep index f0efbf53..bd9b088e 100644 --- a/infra/modules/services/purview.bicep +++ b/infra/modules/services/purview.bicep @@ -29,13 +29,20 @@ var purviewRegions = [ 'eastus' 'eastus2' 'francecentral' + 'japaneast' + 'koreacentral' 'northeurope' + 'southafricanorth' 'southcentralus' 'southeastasia' + 'switzerlandnorth' + 'uaenorth' 'uksouth' 'westcentralus' 'westeurope' + 'westus' 'westus2' + 'westus3' ] // Resources @@ -211,46 +218,6 @@ resource purviewPrivateEndpointQueueARecord 'Microsoft.Network/privateEndpoints/ } } -resource purviewPrivateEndpointNamespace 'Microsoft.Network/privateEndpoints@2020-11-01' = { - name: purviewPrivateEndpointNameNamespace - location: location - tags: tags - properties: { - manualPrivateLinkServiceConnections: [] - privateLinkServiceConnections: [ - { - name: purviewPrivateEndpointNameNamespace - properties: { - groupIds: [ - 'namespace' - ] - privateLinkServiceId: purview.properties.managedResources.eventHubNamespace - requestMessage: '' - } - } - ] - subnet: { - id: subnetId - } - } -} - -resource purviewPrivateEndpointNamespaceARecord 'Microsoft.Network/privateEndpoints/privateDnsZoneGroups@2020-11-01' = if(!empty(privateDnsZoneIdEventhubNamespace)) { - parent: purviewPrivateEndpointNamespace - name: 'default' - properties: { - privateDnsZoneConfigs: [ - { - name: '${purviewPrivateEndpointNamespace.name}-arecord' - properties: { - privateDnsZoneId: privateDnsZoneIdEventhubNamespace - } - } - ] - } -} - // Outputs output purviewId string = purview.id output purviewManagedStorageId string = purview.properties.managedResources.storageAccount -output purviewManagedEventHubId string = purview.properties.managedResources.eventHubNamespace diff --git a/infra/modules/services/synapseprivatelinkhub.bicep b/infra/modules/services/synapseprivatelinkhub.bicep index 42e9c950..f377cf24 100644 --- a/infra/modules/services/synapseprivatelinkhub.bicep +++ b/infra/modules/services/synapseprivatelinkhub.bicep @@ -15,41 +15,43 @@ param privateDnsZoneIdSynapseprivatelinkhub string var synapsePrivatelinkHubNameCleaned = replace(synapsePrivatelinkHubName, '-', '') var synapsePrivatelinkHubPrivateEndpointName = '${synapsePrivatelinkHub.name}-private-endpoint' var synapsePrivatelinkHubRegions = [ - 'westus2' - 'eastus' - 'northeurope' - 'westeurope' - 'southeastasia' 'australiaeast' - 'westcentralus' - 'southcentralus' - 'eastus2' - 'uksouth' - 'westus' 'australiasoutheast' - 'eastasia' 'brazilsouth' - 'centralus' - 'centralindia' - 'japaneast' - 'northcentralus' 'canadacentral' 'canadaeast' - 'koreacentral' - 'southafricanorth' - 'ukwest' - 'japanwest' + 'centralindia' + 'centralus' + 'eastasia' + 'eastus' + 'eastus2' 'francecentral' - 'switzerlandnorth' 'germanywestcentral' + 'japaneast' + 'japanwest' + 'koreacentral' + 'northcentralus' + 'northeurope' 'norwayeast' + 'quatarcentral' + 'southafricanorth' + 'southcentralus' + 'southindia' + 'southeastasia' + 'switzerlandnorth' 'uaenorth' + 'uksouth' + 'ukwest' + 'westcentralus' + 'westeurope' + 'westus' + 'westus2' 'westus3' 'jioindiawest' ] // Resources -resource synapsePrivatelinkHub 'Microsoft.Synapse/privateLinkHubs@2021-03-01' = { +resource synapsePrivatelinkHub 'Microsoft.Synapse/privateLinkHubs@2021-06-01' = { name: synapsePrivatelinkHubNameCleaned location: contains(synapsePrivatelinkHubRegions, location) ? location : 'northeurope' tags: tags diff --git a/infra/modules/services/userassignedidentity.bicep b/infra/modules/services/userassignedidentity.bicep index 874fa23b..d6110eed 100644 --- a/infra/modules/services/userassignedidentity.bicep +++ b/infra/modules/services/userassignedidentity.bicep @@ -12,7 +12,7 @@ param userAssignedIdentityName string // Variables // Resources -resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { +resource userAssignedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { name: userAssignedIdentityName location: location tags: tags