[Modules] Updates to the Azure Monitor Private Link Service (AMPLS) M…

…odule (#4392) * Added types and upgraded api version * Added tests * Uncommented code * Added documentation to accessModeSettings and added PrivateOnly value * Testing using condition * PR feedback * Removed access mode from default test * Updated readme and main.json * PR feedback * Uncommented code, added description for exclusion * Updated markdown and json * Fixed description to adhere to test * PR feedback
Azure · Jan 4, 2024 · cfd1a4a · cfd1a4a
1 parent 864df52
commit cfd1a4a
Show file tree

Hide file tree

Showing 6 changed files with 307 additions and 24 deletions.
diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md
@@ -16,7 +16,7 @@ This module deploys an Azure Monitor Private Link Scope.
 | :-- | :-- |
 | `Microsoft.Authorization/locks` | [2020-05-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2020-05-01/locks) |
 | `Microsoft.Authorization/roleAssignments` | [2022-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Authorization/2022-04-01/roleAssignments) |
-| `microsoft.insights/privateLinkScopes` | [2019-10-17-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2019-10-17-preview/privateLinkScopes) |
+| `microsoft.insights/privateLinkScopes` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/microsoft.insights/2021-07-01-preview/privateLinkScopes) |
 | `Microsoft.Insights/privateLinkScopes/scopedResources` | [2021-07-01-preview](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Insights/2021-07-01-preview/privateLinkScopes/scopedResources) |
 | `Microsoft.Network/privateEndpoints` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints) |
 | `Microsoft.Network/privateEndpoints/privateDnsZoneGroups` | [2023-04-01](https://learn.microsoft.com/en-us/azure/templates/Microsoft.Network/2023-04-01/privateEndpoints/privateDnsZoneGroups) |
@@ -95,6 +95,17 @@ This instance deploys the module with most of its features enabled.
     // Required parameters
     name: 'iplsmax001'
     // Non-required parameters
+    accessModeSettings: {
+      exclusions: [
+        {
+          ingestionAccessMode: 'PrivateOnly'
+          privateEndpointConnectionName: 'thisisatest'
+          queryAccessMode: 'PrivateOnly'
+        }
+      ]
+      ingestionAccessMode: 'Open'
+      queryAccessMode: 'Open'
+    }
     enableDefaultTelemetry: '<enableDefaultTelemetry>'
     privateEndpoints: [
       {
@@ -158,6 +169,19 @@ This instance deploys the module with most of its features enabled.
       "value": "iplsmax001"
     },
     // Non-required parameters
+    "accessModeSettings": {
+      "value": {
+        "exclusions": [
+          {
+            "ingestionAccessMode": "PrivateOnly",
+            "privateEndpointConnectionName": "thisisatest",
+            "queryAccessMode": "PrivateOnly"
+          }
+        ],
+        "ingestionAccessMode": "Open",
+        "queryAccessMode": "Open"
+      }
+    },
     "enableDefaultTelemetry": {
       "value": "<enableDefaultTelemetry>"
     },
@@ -232,6 +256,17 @@ This instance deploys the module in alignment with the best-practices of the Azu
     // Required parameters
     name: 'iplswaf001'
     // Non-required parameters
+    accessModeSettings: {
+      exclusions: [
+        {
+          ingestionAccessMode: 'PrivateOnly'
+          privateEndpointConnectionName: 'thisisatest'
+          queryAccessMode: 'PrivateOnly'
+        }
+      ]
+      ingestionAccessMode: 'Open'
+      queryAccessMode: 'Open'
+    }
     enableDefaultTelemetry: '<enableDefaultTelemetry>'
     privateEndpoints: [
       {
@@ -278,6 +313,19 @@ This instance deploys the module in alignment with the best-practices of the Azu
       "value": "iplswaf001"
     },
     // Non-required parameters
+    "accessModeSettings": {
+      "value": {
+        "exclusions": [
+          {
+            "ingestionAccessMode": "PrivateOnly",
+            "privateEndpointConnectionName": "thisisatest",
+            "queryAccessMode": "PrivateOnly"
+          }
+        ],
+        "ingestionAccessMode": "Open",
+        "queryAccessMode": "Open"
+      }
+    },
     "enableDefaultTelemetry": {
       "value": "<enableDefaultTelemetry>"
     },
@@ -331,6 +379,10 @@ This instance deploys the module in alignment with the best-practices of the Azu
 
 | Parameter | Type | Description |
 | :-- | :-- | :-- |
+| [`accessModeSettings`](#parameter-accessmodesettings) | object | Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.
+
+  * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.
+  * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode. |
 | [`enableDefaultTelemetry`](#parameter-enabledefaulttelemetry) | bool | Enable telemetry via a Globally Unique Identifier (GUID). |
 | [`location`](#parameter-location) | string | The location of the private link scope. Should be global. |
 | [`lock`](#parameter-lock) | object | The lock settings of the service. |
@@ -346,6 +398,64 @@ Name of the private link scope.
 - Required: Yes
 - Type: string
 
+### Parameter: `accessModeSettings`
+
+Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.
+
+  * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.
+  * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode.
+
+- Required: No
+- Type: object
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`ingestionAccessMode`](#parameter-accessmodesettingsingestionaccessmode) | string | Specifies the default access mode of ingestion through associated private endpoints in scope. |
+| [`queryAccessMode`](#parameter-accessmodesettingsqueryaccessmode) | string | Specifies the default access mode of queries through associated private endpoints in scope. |
+
+**Optional parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`exclusions`](#parameter-accessmodesettingsexclusions) | array | List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning. |
+
+### Parameter: `accessModeSettings.ingestionAccessMode`
+
+Specifies the default access mode of ingestion through associated private endpoints in scope.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Open'
+    'PrivateOnly'
+  ]
+  ```
+
+### Parameter: `accessModeSettings.queryAccessMode`
+
+Specifies the default access mode of queries through associated private endpoints in scope.
+
+- Required: Yes
+- Type: string
+- Allowed:
+  ```Bicep
+  [
+    'Open'
+    'PrivateOnly'
+  ]
+  ```
+
+### Parameter: `accessModeSettings.exclusions`
+
+List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning.
+
+- Required: No
+- Type: array
+
 ### Parameter: `enableDefaultTelemetry`
 
 Enable telemetry via a Globally Unique Identifier (GUID).
@@ -741,7 +851,27 @@ Configuration details for Azure Monitor Resources.
 
 - Required: No
 - Type: array
-- Default: `[]`
+
+**Required parameters**
+
+| Parameter | Type | Description |
+| :-- | :-- | :-- |
+| [`linkedResourceId`](#parameter-scopedresourceslinkedresourceid) | string | The resource ID of the scoped Azure monitor resource. |
+| [`name`](#parameter-scopedresourcesname) | string | Name of the private link scoped resource. |
+
+### Parameter: `scopedResources.linkedResourceId`
+
+The resource ID of the scoped Azure monitor resource.
+
+- Required: Yes
+- Type: string
+
+### Parameter: `scopedResources.name`
+
+Name of the private link scoped resource.
+
+- Required: Yes
+- Type: string
 
 ### Parameter: `tags`
 

diff --git a/modules/insights/private-link-scope/main.bicep b/modules/insights/private-link-scope/main.bicep
@@ -6,6 +6,12 @@ metadata owner = 'Azure/module-maintainers'
 @minLength(1)
 param name string
 
+@description('''Optional. Specifies the access mode of ingestion or queries through associated private endpoints in scope. For security reasons, it is recommended to use PrivateOnly whenever possible to avoid data exfiltration.
+
+  * Private Only - This mode allows the connected virtual network to reach only Private Link resources. It is the most secure mode and is set as the default when the `privateEndpoints` parameter is configured.
+  * Open - Allows the connected virtual network to reach both Private Link resources and the resources not in the AMPLS resource. Data exfiltration cannot be prevented in this mode.''')
+param accessModeSettings accessModeType
+
 @description('Optional. The location of the private link scope. Should be global.')
 param location string = 'global'
 
@@ -16,7 +22,7 @@ param lock lockType
 param roleAssignments roleAssignmentType
 
 @description('Optional. Configuration details for Azure Monitor Resources.')
-param scopedResources array = []
+param scopedResources scopedResourceType
 
 @description('Optional. Configuration details for private endpoints. For security reasons, it is recommended to use private endpoints whenever possible.')
 param privateEndpoints privateEndpointType
@@ -49,14 +55,19 @@ resource defaultTelemetry 'Microsoft.Resources/deployments@2021-04-01' = if (ena
   }
 }
 
-resource privateLinkScope 'Microsoft.Insights/privateLinkScopes@2019-10-17-preview' = {
+resource privateLinkScope 'microsoft.insights/privateLinkScopes@2021-07-01-preview' = {
   name: name
   location: location
   tags: tags
-  properties: {}
+  properties: {
+    accessModeSettings: accessModeSettings ?? {
+      ingestionAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly'
+      queryAccessMode: empty(privateEndpoints) ? 'Open' : 'PrivateOnly'
+    }
+  }
 }
 
-module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scopedResource, index) in scopedResources: {
+module privateLinkScope_scopedResource 'scoped-resource/main.bicep' = [for (scopedResource, index) in (scopedResources ?? []): {
   name: '${uniqueString(deployment().name, location)}-PvtLinkScope-ScopedRes-${index}'
   params: {
     name: scopedResource.name
@@ -227,3 +238,31 @@ type privateEndpointType = {
   @description('Optional. Enable/Disable usage telemetry for module.')
   enableTelemetry: bool?
 }[]?
+
+type scopedResourceType = {
+  @description('Required. Name of the private link scoped resource.')
+  name: string
+
+  @description('Required. The resource ID of the scoped Azure monitor resource.')
+  linkedResourceId: string
+}[]?
+
+type accessModeType = {
+  @description('Optional. List of exclusions that override the default access mode settings for specific private endpoint connections. Exclusions for the current created Private endpoints can only be applied post initial provisioning.')
+  exclusions: {
+    @description('Required. The private endpoint connection name associated to the private endpoint on which we want to apply the specific access mode settings.')
+    privateEndpointConnectionName: string
+
+    @description('Required. Specifies the access mode of ingestion through the specified private endpoint connection in the exclusion.')
+    ingestionAccessMode: 'Open' | 'PrivateOnly'
+
+    @description('Required. Specifies the access mode of queries through the specified private endpoint connection in the exclusion.')
+    queryAccessMode: 'Open' | 'PrivateOnly'
+  }[]?
+
+  @description('Required. Specifies the default access mode of ingestion through associated private endpoints in scope.')
+  ingestionAccessMode: 'Open' | 'PrivateOnly'
+
+  @description('Required. Specifies the default access mode of queries through associated private endpoints in scope.')
+  queryAccessMode: 'Open' | 'PrivateOnly'
+}?