ARM template with system managed identity - capture

Author: spelluru

articles/event-hubs/event-hubs-capture-managed-identity.md

@@ -2,7 +2,7 @@
 title: Use managed Identities to capture Azure Event Hubs events
 description: This article explains how to use managed identities to capture events to a destination such as Azure Blob Storage and Azure Data Lake Storage. 
 ms.topic: article
-ms.date: 05/23/2023
+ms.date: 03/20/2024
 ---
 
 
@@ -14,7 +14,7 @@ The default authentication method is to use Shared Access Signature(SAS) to acce
 
 :::image type="content" source="./media/event-hubs-capture-overview/event-hubs-capture-default.png" alt-text="Image showing capturing of Event Hubs data into Azure Storage or Azure Data Lake Storage using default SAS authentication mode":::
 
-With this approach, you can capture data to destinations resources that are in the same subscription only. 
+With this approach, you can capture data to destinations resources that are in the **same subscription** only. 
 
 ## Use Managed Identity 
 With [managed identity](../active-directory/managed-identities-azure-resources/overview.md), users can seamlessly capture data to a preferred destination by using Microsoft Entra ID based authentication and authorization. 
@@ -33,6 +33,268 @@ Then you can select `System Assigned` managed identity option when enabling the
 
  Then capture agent would use the identity of the namespace for authentication and authorization with the capture destination. 
 
+### Azure Resource Manager template
+Here's an example Azure Resource Manager template to configure capturing of data using a system-assigned managed identity. 
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "namespaces_eventhubcapture_name": {
+            "defaultValue": "eventhubcapturens",
+            "type": "String"
+        },
+        "captureEnabled": {
+            "defaultValue": true,
+            "type": "Bool",
+            "metadata": {
+                "description": "Enable or disable the Capture feature for your event hub."
+            }
+        },
+        "captureEncodingFormat": {
+            "defaultValue": "Avro",
+            "allowedValues": [
+                "Avro"
+            ],
+            "type": "String",
+            "metadata": {
+                "description": "The encoding format that Event Hubs Capture uses to serialize the event data when archiving to your storage."
+            }
+        },
+        "captureTime": {
+            "defaultValue": 300,
+            "minValue": 60,
+            "maxValue": 900,
+            "type": "Int",
+            "metadata": {
+                "description": "the time window in seconds for the archival."
+            }
+        },
+        "captureSize": {
+            "defaultValue": 314572800,
+            "minValue": 10485760,
+            "maxValue": 524288000,
+            "type": "Int",
+            "metadata": {
+                "description": "the size window in bytes for the capture."
+            }
+        },
+        "blobContainerName": {
+            "type": "String",
+            "metadata": {
+                "description": "Your existing storage container that you want the blobs archived in."
+            }
+        },
+        "captureNameFormat": {
+            "defaultValue": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}",
+            "type": "String",
+            "metadata": {
+                "description": "A Capture Name Format must contain {Namespace}, {EventHub}, {PartitionId}, {Year}, {Month}, {Day}, {Hour}, {Minute} and {Second} fields. These can be arranged in any order with or without delimiters. E.g.  Prod_{EventHub}/{Namespace}\\{PartitionId}_{Year}_{Month}/{Day}/{Hour}/{Minute}/{Second}"
+            }
+        },
+		"existingStgSubId": {
+            "type": "String",
+            "metadata": {
+                "description": "The ID of the Azure subscription that has your existing storage account."
+            }
+        },
+		"existingStgAccRG": {
+            "type": "String",
+            "metadata": {
+                "description": "The resource group that has the storage account."
+            }
+        },
+        "existingStgAcctName": {
+            "type": "String",
+            "metadata": {
+                "description": "The name of the storage account."
+            }
+        }
+    },
+    "variables": 
+	{
+		"roleAssignmentId": "[guid(resourceId('Microsoft.EventHub/namespaces/',parameters('namespaces_eventhubcapture_name')))]",
+		"storageBlobDataOwnerId": "[concat(subscription().Id, '/providers/Microsoft.Authorization/roleDefinitions/', 'b7e6dc6d-f1e8-4753-8033-0f276bb0955b')]",
+		"ehId": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/', 'Microsoft.EventHub/namespaces/',parameters('namespaces_eventhubcapture_name')) ]",
+		"existingStorageAcctResourceId" : "[concat('/subscriptions/', parameters('existingStgSubId'), '/resourceGroups/', parameters('existingStgAccRG'), '/providers/', 'Microsoft.Storage/storageAccounts/',parameters('existingStgAcctName')) ]"
+	},
+    "resources": [
+        {
+            "type": "Microsoft.EventHub/namespaces",
+            "apiVersion": "2023-01-01-preview",
+            "name": "[parameters('namespaces_eventhubcapture_name')]",
+            "location": "eastus",
+            "sku": {
+                "name": "Standard",
+                "tier": "Standard",
+                "capacity": 1
+            },
+            "identity": {
+                "type": "SystemAssigned"
+            },
+            "properties": {
+                "minimumTlsVersion": "1.2",
+                "publicNetworkAccess": "Enabled",
+                "disableLocalAuth": false,
+                "zoneRedundant": true,
+                "isAutoInflateEnabled": false,
+                "maximumThroughputUnits": 0,
+                "kafkaEnabled": true
+            }
+        },
+        {
+            "type": "Microsoft.EventHub/namespaces/authorizationrules",
+            "apiVersion": "2023-01-01-preview",
+            "name": "[concat(parameters('namespaces_eventhubcapture_name'), '/RootManageSharedAccessKey')]",
+            "location": "eastus",
+            "dependsOn": [
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_eventhubcapture_name'))]"
+            ],
+            "properties": {
+                "rights": [
+                    "Listen",
+                    "Manage",
+                    "Send"
+                ]
+            }
+        },
+		{
+			"type": "Microsoft.Resources/deployments",
+			"apiVersion": "2022-09-01",
+			"name": "nestedStgTemplate",
+			"subscriptionId": "[parameters('existingStgSubId')]",
+			"resourceGroup": "[parameters('existingStgAccRG')]",
+			"properties": {
+				"expressionEvaluationOptions": {
+					"scope": "outer"
+				},
+				"mode": "Incremental",
+				"template": {
+					"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+					"contentVersion": "1.0.0.0",
+					"resources": [
+						{
+							"type": "Microsoft.Authorization/roleAssignments",
+							"name": "C0F7F914-0FF9-47B2-9960-1D64D97FF594",
+							"apiVersion": "2018-01-01-preview",
+							"scope": "[variables('existingStorageAcctResourceId')]",
+							"properties": {
+								"roleDefinitionId": "[variables('storageBlobDataOwnerId')]",
+								"principalId": "[reference(variables('ehId'), '2021-11-01', 'Full').identity.principalId]"
+							}
+						}
+					]
+				}
+			}
+		},
+        {
+            "type": "Microsoft.EventHub/namespaces/eventhubs",
+            "apiVersion": "2023-01-01-preview",
+            "name": "[concat(parameters('namespaces_eventhubcapture_name'), '/capture')]",
+            "location": "eastus",
+            "dependsOn": [
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_eventhubcapture_name'))]",
+				"nestedStgTemplate"
+            ],
+            "properties": {
+                "retentionDescription": {
+                    "cleanupPolicy": "Delete",
+                    "retentionTimeInHours": 24
+                },
+                "messageRetentionInDays": 1,
+                "partitionCount": 1,
+                "status": "Active",
+                "captureDescription": {
+                    "enabled": "[parameters('captureEnabled')]",
+                    "skipEmptyArchives": false,
+                    "encoding": "[parameters('captureEncodingFormat')]",
+                    "intervalInSeconds": "[parameters('captureTime')]",
+                    "sizeLimitInBytes": "[parameters('captureSize')]",
+                    "destination": {
+                        "name": "EventHubArchive.AzureBlockBlob",
+                        "properties": {
+                            "storageAccountResourceId": "[variables('existingStorageAcctResourceId')]",
+                            "blobContainer": "[parameters('blobContainerName')]",
+                            "archiveNameFormat": "[parameters('captureNameFormat')]"
+                        },
+						"identity": {
+							"type": "SystemAssigned"
+						}
+                    }
+                }
+            }
+        },
+        {
+            "type": "Microsoft.EventHub/namespaces/networkRuleSets",
+            "apiVersion": "2023-01-01-preview",
+            "name": "[concat(parameters('namespaces_eventhubcapture_name'), '/default')]",
+            "location": "eastus",
+            "dependsOn": [
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_eventhubcapture_name'))]"
+            ],
+            "properties": {
+                "publicNetworkAccess": "Enabled",
+                "defaultAction": "Allow",
+                "virtualNetworkRules": [],
+                "ipRules": []
+            }
+        },
+        {
+            "type": "Microsoft.EventHub/namespaces/eventhubs/consumergroups",
+            "apiVersion": "2023-01-01-preview",
+            "name": "[concat(parameters('namespaces_eventhubcapture_name'), '/capture/$Default')]",
+            "location": "eastus",
+            "dependsOn": [
+                "[resourceId('Microsoft.EventHub/namespaces/eventhubs', parameters('namespaces_eventhubcapture_name'), 'capture')]",
+                "[resourceId('Microsoft.EventHub/namespaces', parameters('namespaces_eventhubcapture_name'))]"
+            ],
+            "properties": {}
+        }
+    ]
+}
+```
+
+**Parameters.json**:
+
+```json
+{
+    "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+        "namespaces_eventhubcapture_name": {
+            "value": "NAMESPACENAME"
+        },
+        "captureEnabled": {
+            "value": true
+        },
+        "captureEncodingFormat": {
+            "value": "Avro"
+        },
+        "captureTime": {
+            "value": 300
+        },
+        "captureSize": {
+            "value": 314572800
+        },
+        "blobContainerName": {
+            "value": "BLOBCONTAINERNAME"
+        },
+        "captureNameFormat": {
+            "value": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}"
+        },
+		"existingStgSubId": {
+            "value": "00000000-0000-0000-0000-00000000000000"
+        },
+		"existingStgAccRG": {
+            "value": "STORAGERESOURCEGROUPNAME"
+        },
+		"existingStgAcctName": {
+            "value": "STORAGEACCOUNTNAME"
+        }
+    }
+}
+```
 
 ### Use a user-assigned managed identity to capture events
 You can create a user-assigned managed identity and use it for authenticate and authorize with the capture destination of Event hubs. Once the managed identity is created, you can assign it to the Event Hubs namespace and make sure that the capture destination has the required role assignment enabled for the corresponding user assigned identity.