From aedf40a7c9c75802e7f24c3cac5a82c4ef5bf4be Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 5 Nov 2023 20:56:42 +0100 Subject: [PATCH 1/4] waf folders --- .../tests/e2e/waf-aligned/dependencies.bicep | 104 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 109 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 120 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 219 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 124 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 28 + .../tests/e2e/waf-aligned/main.test.bicep | 109 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 40 ++ .../job/tests/e2e/waf-aligned/main.test.bicep | 124 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 51 ++ .../tests/e2e/waf-aligned/main.test.bicep | 72 +++ .../tests/e2e/waf-aligned/main.test.bicep | 49 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 90 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 261 +++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 78 +++ .../tests/e2e/waf-aligned/main.test.bicep | 129 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 +++ .../tests/e2e/waf-aligned/main.test.bicep | 135 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 +++ .../tests/e2e/waf-aligned/main.test.bicep | 121 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 38 ++ .../tests/e2e/waf-aligned/main.test.bicep | 101 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 +++ .../tests/e2e/waf-aligned/main.test.bicep | 137 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 74 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 51 ++ .../tests/e2e/waf-aligned/main.test.bicep | 84 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 78 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 189 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 218 ++++++++ .../e2e/waf-aligned/dependencies_rbac.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 86 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 88 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 61 +++ .../tests/e2e/waf-aligned/main.test.bicep | 60 +++ .../tests/e2e/waf-aligned/main.test.bicep | 40 ++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 127 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 99 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 160 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 135 +++++ .../tests/e2e/waf-aligned/main.test.bicep | 161 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 138 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 79 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 368 +++++++++++++ .../tests/e2e/waf-aligned/main.test.bicep | 156 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 29 + .../tests/e2e/waf-aligned/main.test.bicep | 119 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 135 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 133 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 41 ++ .../tests/e2e/waf-aligned/main.test.bicep | 103 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 134 +++++ .../lab/tests/e2e/waf-aligned/main.test.bicep | 286 ++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 162 ++++++ .../tests/e2e/waf-aligned/main.test.bicep | 132 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 +++ .../tests/e2e/waf-aligned/main.test.bicep | 124 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 ++ .../tests/e2e/waf-aligned/main.test.bicep | 129 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 89 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 145 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 83 +++ .../tests/e2e/waf-aligned/main.test.bicep | 228 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 78 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 74 +++ .../tests/e2e/waf-aligned/main.test.bicep | 169 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 88 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 28 + .../tests/e2e/waf-aligned/main.test.bicep | 109 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 97 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 74 +++ .../tests/e2e/waf-aligned/main.test.bicep | 70 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 29 + .../tests/e2e/waf-aligned/main.test.bicep | 87 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 71 +++ .../tests/e2e/waf-aligned/main.test.bicep | 89 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 105 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 26 + .../tests/e2e/waf-aligned/main.test.bicep | 77 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 65 +++ .../tests/e2e/waf-aligned/main.test.bicep | 189 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 32 ++ .../tests/e2e/waf-aligned/main.test.bicep | 84 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 49 ++ .../tests/e2e/waf-aligned/main.test.bicep | 81 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 16 + .../tests/e2e/waf-aligned/main.test.bicep | 136 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 134 +++++ .../tests/e2e/waf-aligned/main.test.bicep | 162 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 101 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 82 +++ .../tests/e2e/waf-aligned/main.test.bicep | 48 ++ .../tests/e2e/waf-aligned/main.test.bicep | 31 ++ .../tests/e2e/waf-aligned/main.test.bicep | 72 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 146 +++++ .../tests/e2e/waf-aligned/main.test.bicep | 498 ++++++++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 72 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 64 +++ .../tests/e2e/waf-aligned/main.test.bicep | 190 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 59 +++ .../tests/e2e/waf-aligned/main.test.bicep | 105 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 72 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 81 +++ .../tests/e2e/waf-aligned/main.test.bicep | 94 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 ++ .../tests/e2e/waf-aligned/main.test.bicep | 75 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 37 ++ .../tests/e2e/waf-aligned/main.test.bicep | 222 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 106 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 38 ++ .../tests/e2e/waf-aligned/main.test.bicep | 75 +++ .../tests/e2e/waf-aligned/main.test.bicep | 93 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 135 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 161 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 36 ++ .../tests/e2e/waf-aligned/main.test.bicep | 181 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 78 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 118 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 113 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 127 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 96 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 255 +++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 160 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 144 +++++ .../tests/e2e/waf-aligned/main.test.bicep | 158 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 41 ++ .../tests/e2e/waf-aligned/main.test.bicep | 224 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 95 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 105 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 +++ .../tests/e2e/waf-aligned/main.test.bicep | 106 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 107 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 73 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 82 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 85 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 101 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 42 ++ .../tests/e2e/waf-aligned/main.test.bicep | 94 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 35 ++ .../tests/e2e/waf-aligned/main.test.bicep | 156 ++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 49 ++ .../tests/e2e/waf-aligned/main.test.bicep | 102 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 24 + .../tests/e2e/waf-aligned/main.test.bicep | 114 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 47 ++ .../tests/e2e/waf-aligned/main.test.bicep | 237 +++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 76 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 73 +++ .../tests/e2e/waf-aligned/main.test.bicep | 179 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 63 +++ .../tests/e2e/waf-aligned/main.test.bicep | 378 +++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 60 +++ .../tests/e2e/waf-aligned/main.test.bicep | 181 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 74 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 17 + .../tests/e2e/waf-aligned/main.test.bicep | 71 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 129 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 62 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 63 +++ .../tests/e2e/waf-aligned/main.test.bicep | 226 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 31 ++ .../tests/e2e/waf-aligned/main.test.bicep | 225 ++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 62 +++ .../tests/e2e/waf-aligned/main.test.bicep | 117 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 62 +++ .../tests/e2e/waf-aligned/main.test.bicep | 119 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 350 ++++++++++++ .../tests/e2e/waf-aligned/main.test.bicep | 181 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 111 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 197 +++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 68 +++ .../tests/e2e/waf-aligned/main.test.bicep | 333 ++++++++++++ .../tests/e2e/waf-aligned/dependencies.bicep | 74 +++ .../tests/e2e/waf-aligned/main.test.bicep | 93 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 92 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 124 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 99 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 119 +++++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 77 +++ .../tests/e2e/waf-aligned/dependencies.bicep | 13 + .../tests/e2e/waf-aligned/main.test.bicep | 107 ++++ .../tests/e2e/waf-aligned/dependencies.bicep | 94 ++++ .../tests/e2e/waf-aligned/main.test.bicep | 109 ++++ 224 files changed, 20656 insertions(+) create mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/job/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/job/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep create mode 100644 modules/compute/image/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/component/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/purview/account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/sql/server/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/connection/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep create mode 100644 modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep create mode 100644 modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0767cf436a --- /dev/null +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,104 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Deployment Script to create for the Certificate generation.') +param certDeploymentScriptName string + +var certPWSecretName = 'pfxCertificatePassword' +var certSecretName = 'pfxBase64Certificate' +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: certDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '3.0' + retentionInterval: 'P1D' + arguments: ' -KeyVaultName "${keyVault.name}" -ResourceGroupName "${resourceGroup().name}" -CertPWSecretName "${certPWSecretName}" -CertSecretName "${certSecretName}"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-PfxCertificateInKeyVault.ps1') + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the certification password secret.') +output certPWSecretName string = certPWSecretName + +@description('The name of the certification secret.') +output certSecretName string = certSecretName + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..57a8a8aae6 --- /dev/null +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aaddsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = { + name: last(split(nestedDependencies.outputs.keyVaultResourceId, '/')) + scope: resourceGroup +} + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + domainName: '${namePrefix}.onmicrosoft.com' + additionalRecipients: [ + '${namePrefix}@noreply.github.com' + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + pfxCertificate: keyVault.getSecret(nestedDependencies.outputs.certSecretName) + pfxCertificatePassword: keyVault.getSecret(nestedDependencies.outputs.certPWSecretName) + replicaSets: [ + { + location: 'WestEurope' + subnetId: nestedDependencies.outputs.subnetResourceId + } + ] + sku: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..29b9641692 --- /dev/null +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..05de9c3d73 --- /dev/null +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,120 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'assmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'S0' + skuCapacity: 1 + firewallSettings: { + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeStart: '0.0.0.0' + rangeEnd: '255.255.255.255' + } + ] + enablePowerBIService: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep b/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..bd63a95634 --- /dev/null +++ b/modules/api-management/service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c1918b4ef4 --- /dev/null +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,219 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'apismax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +@description('Optional. The secret to leverage for authorization server authentication.') +@secure() +param customSecret string = newGuid() + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: '${namePrefix}-az-amorg-x-001' + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/authorize' + clientId: 'apimclientid' + clientSecret: customSecret + clientRegistrationEndpoint: 'http://localhost' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '${environment().authentication.loginEndpoint}651b43ce-ccb8-4301-b551-b04dd872d401/oauth2/v2.0/token' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + scope: '/apis' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..bd63a95634 --- /dev/null +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a87462b588 --- /dev/null +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurationstores-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'accmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + createMode: 'Default' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + disableLocalAuth: false + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + softDeleteRetentionInDays: 1 + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a6700c9d60 --- /dev/null +++ b/modules/app/container-app/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment for Container Apps to create.') +param managedEnvironmentName string + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2022-10-01' = { + name: managedEnvironmentName + location: location + sku: { + name: 'Consumption' + } + properties: {} +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..68cd3514ae --- /dev/null +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mcappmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: guid(deployment().name) + } + ] + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + probes: [ + { + type: 'Liveness' + httpGet: { + path: '/health' + port: 8080 + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + } + initialDelaySeconds: 3 + periodSeconds: 3 + } + ] + } + ] + } +} diff --git a/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b03d4aca93 --- /dev/null +++ b/modules/app/job/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,40 @@ +@description('Required. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Environment for Container Apps to create.') +param managedEnvironmentName string + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the workload profile to create.') +param workloadProfileName string + +resource managedEnvironment 'Microsoft.App/managedEnvironments@2023-05-01' = { + name: managedEnvironmentName + location: location + properties: { + workloadProfiles: [ + { + name: workloadProfileName + workloadProfileType: 'D4' + maximumCount: 1 + minimumCount: 1 + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2022-01-31-preview' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Managed Environment.') +output managedEnvironmentResourceId string = managedEnvironment.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ad0bd71925 --- /dev/null +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ajmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + location: location + managedEnvironmentName: 'dep-${namePrefix}-menv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + workloadProfileName: serviceShort + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + enableDefaultTelemetry: enableDefaultTelemetry + environmentId: nestedDependencies.outputs.managedEnvironmentResourceId + workloadProfileName: serviceShort + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: guid(deployment().name) + } + ] + } + triggerType: 'Manual' + manualTriggerConfig: { + replicaCompletionCount: 1 + parallelism: 1 + } + containers: [ + { + name: 'simple-hello-world-container' + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + resources: { + // workaround as 'float' values are not supported in Bicep, yet the resource providers expects them. Related issue: https://github.com/Azure/bicep/issues/1386 + cpu: json('0.25') + memory: '0.5Gi' + } + probes: [ + { + type: 'Liveness' + httpGet: { + path: '/health' + port: 8080 + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + } + initialDelaySeconds: 3 + periodSeconds: 3 + } + ] + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityResourceId + roleDefinitionIdOrName: 'ContainerApp Reader' + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f61380acc4 --- /dev/null +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,51 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2022-10-01' = { + name: logAnalyticsWorkspaceName + location: location + properties: any({ + retentionInDays: 30 + features: { + searchVersion: 1 + } + sku: { + name: 'PerGB2018' + } + }) +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } + +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1843a5b3ce --- /dev/null +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'amemax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + logAnalyticsWorkspaceResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + location: location + skuName: 'Consumption' + internal: true + dockerBridgeCidr: '172.16.0.1/28' + platformReservedCidr: '172.17.17.0/24' + platformReservedDnsIP: '172.17.17.17' + infrastructureSubnetId: nestedDependencies.outputs.subnetResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Env: 'test' + } + } +} diff --git a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..b0a46425c0 --- /dev/null +++ b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,49 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'almax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + level: 'CanNotDelete' + resourceGroupName: resourceGroup.name + subscriptionId: subscription().subscriptionId + } +} diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3a979dc83b --- /dev/null +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,90 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azure-automation.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The URL of the created Key Vault.') +output keyVaultUrl string = keyVault.properties.vaultUri + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f0984bd8c6 --- /dev/null +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,261 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-automation.account-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'aamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + disableLocalAuth: true + linkedWorkspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Webhook' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'DSCAndHybridWorker' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..462e8a5f27 --- /dev/null +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,78 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.batch.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..87a36e6670 --- /dev/null +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'bbamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}st${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + storageAccountId: nestedDependencies.outputs.storageAccountResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + poolAllocationMode: 'BatchService' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageAccessIdentity: nestedDependencies.outputs.managedIdentityResourceId + storageAuthenticationMode: 'BatchAccountManagedIdentity' + managedIdentities: { + systemAssigned: true + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..59ae30a575 --- /dev/null +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.redisenterprise.cache.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ce2540744f --- /dev/null +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cremax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + minimumTlsVersion: '1.2' + zoneRedundant: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + name: 'RedisTimeSeries' + args: 'RETENTION_POLICY 20' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + } +} diff --git a/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep b/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8218e0c1ad --- /dev/null +++ b/modules/cache/redis/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.redis.cache.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5162295ff3 --- /dev/null +++ b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,121 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + capacity: 2 + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableNonSslPort: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + minimumTlsVersion: '1.2' + zoneRedundant: true + zones: [ 1, 2 ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + redisVersion: '6' + shardCount: 1 + skuName: 'Premium' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache' + } + } +} diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7ca387035b --- /dev/null +++ b/modules/cdn/profile/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + allowBlobPublicAccess: false + networkAcls: { + defaultAction: 'Deny' + bypass: 'AzureServices' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name + +@description('The resource ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5298d3dc2c --- /dev/null +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdnpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}cdnstore${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: 'dep-${namePrefix}-test-${serviceShort}' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + sku: 'Standard_Verizon' + enableDefaultTelemetry: enableDefaultTelemetry + endpointProperties: { + originHostHeader: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + contentTypesToCompress: [ + 'text/plain' + 'text/html' + 'text/css' + 'text/javascript' + 'application/x-javascript' + 'application/javascript' + 'application/json' + 'application/xml' + ] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + queryStringCachingBehavior: 'IgnoreQueryString' + origins: [ + { + name: 'dep-${namePrefix}-cdn-endpoint01' + properties: { + hostName: '${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}' + httpPort: 80 + httpsPort: 443 + enabled: true + } + } + ] + originGroups: [] + geoFilters: [] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..129b6f6579 --- /dev/null +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.CognitiveServices' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.cognitiveservices.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f548446c6c --- /dev/null +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,137 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'csamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + kind: 'Face' + customSubDomainName: '${namePrefix}xdomain' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'S0' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2c78999e90 --- /dev/null +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Proximity Placement Group to create.') +param proximityPlacementGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource proximityPlacementGroup 'Microsoft.Compute/proximityPlacementGroups@2022-03-01' = { + name: proximityPlacementGroupName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Proximity Placement Group.') +output proximityPlacementGroupResourceId string = proximityPlacementGroup.id diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c05e914de3 --- /dev/null +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'casmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + proximityPlacementGroupName: 'dep-${namePrefix}-ppg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: nestedDependencies.outputs.proximityPlacementGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..62321ebe98 --- /dev/null +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,51 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by disk encryption set + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The name of the created encryption key.') +output keyName string = keyVault::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d854daacec --- /dev/null +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,84 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdesmax' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + keyName: nestedDependencies.outputs.keyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..616cf219fe --- /dev/null +++ b/modules/compute/disk/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7916ad9f61 --- /dev/null +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cdmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}001' + sku: 'UltraSSD_LRS' + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/compute/gallery/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a93ee28315 --- /dev/null +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,189 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + applications: [ + { + name: '${namePrefix}-${serviceShort}-appd-001' + } + { + name: '${namePrefix}-${serviceShort}-appd-002' + supportedOSType: 'Windows' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + images: [ + { + name: '${namePrefix}-az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + securityType: 'TrustedLaunch' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: '${namePrefix}-az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: '${namePrefix}-az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2a31d8730b --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,218 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create and to copy the VHD into.') +param storageAccountName string + +@description('Required. The name of the Disk Encryption Set to create.') +param diskEncryptionSetName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name prefix of the Image Template to create.') +param imageTemplateNamePrefix string + +@description('Generated. Do not provide a value! This date value is used to generate a unique image template name.') +param baseTime string = utcNow('yyyy-MM-dd-HH-mm-ss') + +@description('Required. The name of the Deployment Script to create for triggering the image creation.') +param triggerImageDeploymentScriptName string + +@description('Required. The name of the Deployment Script to copy the VHD to a destination storage account.') +param copyVhdDeploymentScriptName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } + resource blobServices 'blobServices@2022-09-01' = { + name: 'default' + resource container 'containers@2022-09-01' = { + name: 'vhds' + properties: { + publicAccess: 'None' + } + } + } +} + +module roleAssignment 'dependencies_rbac.bicep' = { + name: '${deployment().name}-MSI-roleAssignment' + scope: subscription() + params: { + managedIdentityPrincipalId: managedIdentity.properties.principalId + managedIdentityResourceId: managedIdentity.id + } +} + +// Deploy image template +resource imageTemplate 'Microsoft.VirtualMachineImages/imageTemplates@2022-02-14' = { + #disable-next-line use-stable-resource-identifiers + name: '${imageTemplateNamePrefix}-${baseTime}' + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + buildTimeoutInMinutes: 0 + vmProfile: { + vmSize: 'Standard_D2s_v3' + osDiskSizeGB: 127 + } + source: { + type: 'PlatformImage' + publisher: 'MicrosoftWindowsDesktop' + offer: 'Windows-11' + sku: 'win11-21h2-avd' + version: 'latest' + } + distribute: [ + { + type: 'VHD' + runOutputName: '${imageTemplateNamePrefix}-VHD' + artifactTags: {} + } + ] + customize: [ + { + restartTimeout: '30m' + type: 'WindowsRestart' + } + ] + } +} + +// Trigger VHD creation +resource triggerImageDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: triggerImageDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Start-ImageTemplate.ps1') + cleanupPreference: 'OnSuccess' + forceUpdateTag: baseTime + } + dependsOn: [ + roleAssignment + ] +} + +// Copy VHD to destination storage account +resource copyVhdDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: copyVhdDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ImageTemplateName \\"${imageTemplate.name}\\" -ImageTemplateResourceGroup \\"${resourceGroup().name}\\" -DestinationStorageAccountName \\"${storageAccount.name}\\" -VhdName \\"${imageTemplateNamePrefix}\\" -WaitForComplete' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Copy-VhdToStorageAccount.ps1') + cleanupPreference: 'OnSuccess' + forceUpdateTag: baseTime + } + dependsOn: [ triggerImageDeploymentScript ] +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required for encrption to work + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2022-07-02' = { + name: diskEncryptionSetName + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + activeKey: { + sourceVault: { + id: keyVault.id + } + keyUrl: keyVault::key.properties.keyUriWithVersion + } + encryptionType: 'EncryptionAtRestWithCustomerKey' + } + dependsOn: [ + keyPermissions + ] +} + +@description('The URI of the created VHD.') +output vhdUri string = 'https://${storageAccount.name}.blob.${environment().suffixes.storage}/vhds/${imageTemplateNamePrefix}.vhd' + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Disk Encryption Set.') +output diskEncryptionSetResourceId string = diskEncryptionSet.id diff --git a/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep b/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep new file mode 100644 index 0000000000..cdca1b63bd --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/dependencies_rbac.bicep @@ -0,0 +1,16 @@ +targetScope = 'subscription' + +@description('Required. The resource ID of the created Managed Identity.') +param managedIdentityResourceId string + +@description('Required. The principal ID of the created Managed Identity.') +param managedIdentityPrincipalId string + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().subscriptionId, 'Contributor', managedIdentityResourceId) + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7b5bd31348 --- /dev/null +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,86 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cimax' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + imageTemplateNamePrefix: 'dep-${namePrefix}-imgt-${serviceShort}' + triggerImageDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-triggerImageTemplate' + copyVhdDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}-copyVhdToStorage' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: nestedDependencies.outputs.vhdUri + osDiskCaching: 'ReadWrite' + osType: 'Windows' + hyperVGeneration: 'V1' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zoneResilient: true + diskEncryptionSetResourceId: nestedDependencies.outputs.diskEncryptionSetResourceId + osState: 'Generalized' + diskSizeGB: 128 + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + } +} diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..93f79eb2fe --- /dev/null +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,88 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cppgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + ] + type: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + } +} diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..13a584595b --- /dev/null +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,61 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Optional. Name of the Deployment Script that creates the SSH Public Key.') +param generateSshPubKeyScriptName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. Name of the temporary SSH Public Key to create for test.') +param sshKeyName string + +@description('Optional. Do not provide a value. Used to force the deployment script to rerun on every redeployment.') +param utcValue string = utcNow() + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +// required for the deployment script to create a new temporary ssh public key object +resource msi_ContributorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, 'ManagedIdentityContributor', '[[namePrefix]]') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource createPubKeyScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: generateSshPubKeyScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-ResourceGroupName ${resourceGroup().name} -SSHKeyName ${sshKeyName}' + scriptContent: loadTextContent('../../../../../.shared/.scripts/New-SSHKey.ps1') + cleanupPreference: 'OnExpiration' + forceUpdateTag: utcValue + } + dependsOn: [ + msi_ContributorRoleAssignment + ] +} + +@description('The public key to be added to the SSH Public Key resource.') +output publicKey string = createPubKeyScript.properties.outputs.publicKey + +@description('The resource ID of the managed Identity') +output managedIdentityId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a35550fe1c --- /dev/null +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,60 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-compute.sshPublicKeys-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +@maxLength(7) +param serviceShort string = 'cspkmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + generateSshPubKeyScriptName: 'dep-${namePrefix}-ds-${serviceShort}-generateSshPubKey' + sshKeyName: 'dep-${namePrefix}-ssh-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-sshkey-${serviceShort}001' + publicKey: nestedDependencies.outputs.publicKey + } +} diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..691655f30f --- /dev/null +++ b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,40 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cbmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + amount: 500 + contactEmails: [ + 'dummy@contoso.com' + ] + thresholds: [ + 50 + 75 + 90 + 100 + 110 + ] + } +} diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..66dc10c2f2 --- /dev/null +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d98a8c184b --- /dev/null +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,127 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containergroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'cicgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + containers: [ + { + name: '${namePrefix}-az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: '${namePrefix}-az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + ipAddressPorts: [ + { + protocol: 'Tcp' + port: 80 + } + { + protocol: 'Tcp' + port: 443 + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4e89a810a0 --- /dev/null +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,99 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Deployment Script to create to get the paired region name.') +param pairedRegionScriptName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink${environment().suffixes.acrLoginServer}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource roleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${location}-${managedIdentity.id}-Reader-RoleAssignment') + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'acdd72a7-3385-48ef-bd42-f606fba81ae7') // Reader + principalType: 'ServicePrincipal' + } +} + +resource getPairedRegionScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: pairedRegionScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-Location \\"${location}\\"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Get-PairedRegion.ps1') + } + dependsOn: [ + roleAssignment + ] +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The name of the paired region.') +output pairedRegionName string = getPairedRegionScript.properties.outputs.pairedRegionName diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5a9631cb3d --- /dev/null +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,160 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'crrmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + location: location + managedIdentityName: 'dep-${namePrefix}-msi-ds-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + pairedRegionScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + acrAdminUserEnabled: false + acrSku: 'Premium' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + exportPolicyStatus: 'enabled' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + softDeletePolicyStatus: 'disabled' + softDeletePolicyDays: 7 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + service: 'registry' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: nestedDependencies.outputs.pairedRegionName + name: nestedDependencies.outputs.pairedRegionName + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + trustPolicyStatus: 'enabled' + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + webhooks: [ + { + name: '${namePrefix}acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a6ab43ad7a --- /dev/null +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,135 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.datafactory.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetworkName}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-KeyVault-Key-Read-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + // Key Vault Crypto User + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') + principalType: 'ServicePrincipal' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The URL of the created Key Vault.') +output keyVaultUrl string = keyVault.properties.vaultUri + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyName string = keyVault::key.name + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name + +@description('The Blob Endpoint of the created Storage Account.') +output storageAccountBlobEndpoint string = storageAccount.properties.primaryEndpoints.blob diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8e8dd7f0ad --- /dev/null +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,161 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dffmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultEncryptionKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + userAssignedIdentityResourceId: nestedDependencies.outputs.managedIdentityResourceId + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedPrivateEndpoints: [ + { + fqdns: [ + nestedDependencies.outputs.storageAccountBlobEndpoint + ] + groupId: 'blob' + name: '${nestedDependencies.outputs.storageAccountName}-managed-privateEndpoint' + privateLinkResourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + application: 'CARML' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0f0755a6f4 --- /dev/null +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..9a85777eb1 --- /dev/null +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,138 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dpbvmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + managedIdentities: { + systemAssigned: true + } + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b20bc53e8f --- /dev/null +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d67edfcaff --- /dev/null +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,79 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dacmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + location: resourceGroup.location + } +} diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4c074d6ae8 --- /dev/null +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,368 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Key Vault for Disk Encryption to create.') +param keyVaultDiskName string + +@description('Required. The name of the Azure Machine Learning Workspace to create.') +param amlWorkspaceName string + +@description('Required. The name of the Load Balancer to create.') +param loadBalancerName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Application Insights Instanec to create.') +param applicationInsightsName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyVaultDisk 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultDiskName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required by batch account + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKeyDisk' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Key-Vault-Crypto-User-RoleAssignment') + scope: keyVault::key + properties: { + principalId: '5167ea7a-355a-466f-ae8b-8ea60f718b35' // AzureDatabricks Enterprise Application Object Id + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '12338af0-0e69-4776-bea7-57ae8d297424') // Key Vault Crypto User + principalType: 'ServicePrincipal' + } +} + +resource amlPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-Key-Vault-Contributor') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalType: 'ServicePrincipal' + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2023-01-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_ZRS' + } + kind: 'StorageV2' + properties: {} +} + +resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { + name: applicationInsightsName + location: location + kind: 'web' + properties: { + Application_Type: 'web' + } +} + +resource machineLearningWorkspace 'Microsoft.MachineLearningServices/workspaces@2023-04-01' = { + name: amlWorkspaceName + location: location + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + storageAccount: storageAccount.id + keyVault: keyVault.id + applicationInsights: applicationInsights.id + primaryUserAssignedIdentity: managedIdentity.id + } +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + properties: { + backendAddressPools: [ + { + name: 'default' + } + ] + frontendIPConfigurations: [ + { + name: 'privateIPConfig1' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: { + securityRules: [ + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-inbound' + properties: { + description: 'Required for worker nodes communication within a cluster.' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + access: 'Allow' + priority: 100 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-databricks-webapp' + properties: { + description: 'Required for workers communication with Databricks Webapp.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'AzureDatabricks' + access: 'Allow' + priority: 100 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-sql' + properties: { + description: 'Required for workers communication with Azure SQL services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '3306' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'Sql' + access: 'Allow' + priority: 101 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-storage' + properties: { + description: 'Required for workers communication with Azure Storage services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '443' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'Storage' + access: 'Allow' + priority: 102 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-worker-outbound' + properties: { + description: 'Required for worker nodes communication within a cluster.' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'VirtualNetwork' + access: 'Allow' + priority: 103 + direction: 'Outbound' + } + } + { + name: 'Microsoft.Databricks-workspaces_UseOnly_databricks-worker-to-eventhub' + properties: { + description: 'Required for worker communication with Azure Eventhub services.' + protocol: 'Tcp' + sourcePortRange: '*' + destinationPortRange: '9093' + sourceAddressPrefix: 'VirtualNetwork' + destinationAddressPrefix: 'EventHub' + access: 'Allow' + priority: 104 + direction: 'Outbound' + } + } + ] + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2022-01-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 0) + } + } + { + name: 'custom-public-subnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 1) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'databricksDelegation' + properties: { + serviceName: 'Microsoft.Databricks/workspaces' + } + } + ] + } + } + { + name: 'custom-private-subnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 20, 2) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'databricksDelegation' + properties: { + serviceName: 'Microsoft.Databricks/workspaces' + } + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azuredatabricks.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Default Subnet.') +output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The name of the created Virtual Network Public Subnet.') +output customPublicSubnetName string = virtualNetwork.properties.subnets[1].name + +@description('The name of the created Virtual Network Private Subnet.') +output customPrivateSubnetName string = virtualNetwork.properties.subnets[2].name + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Azure Machine Learning Workspace.') +output machineLearningWorkspaceResourceId string = machineLearningWorkspace.id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The resource ID of the created Disk Key Vault.') +output keyVaultDiskResourceId string = keyVaultDisk.id + +@description('The resource ID of the created Load Balancer.') +output loadBalancerResourceId string = loadBalancer.id + +@description('The name of the created Load Balancer Backend Pool.') +output loadBalancerBackendPoolName string = loadBalancer.properties.backendAddressPools[0].name + +@description('The name of the created Key Vault encryption key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault Disk encryption key.') +output keyVaultDiskKeyName string = keyVaultDisk::key.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..cbf4a382c1 --- /dev/null +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,156 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + amlWorkspaceName: 'dep-${namePrefix}-aml-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + keyVaultDiskName: 'dep-${namePrefix}-kve-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + customerManagedKey: { + keyName: nestedDependencies.outputs.keyVaultKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + } + customerManagedKeyManagedDisk: { + keyName: nestedDependencies.outputs.keyVaultDiskKeyName + keyVaultResourceId: nestedDependencies.outputs.keyVaultDiskResourceId + rotationToLatestKeyVersionEnabled: true + } + storageAccountName: 'sa${namePrefix}${serviceShort}001' + storageAccountSkuName: 'Standard_ZRS' + publicIpName: 'nat-gw-public-ip' + natGatewayName: 'nat-gateway' + prepareEncryption: true + requiredNsgRules: 'NoAzureDatabricksRules' + skuName: 'premium' + amlWorkspaceResourceId: nestedDependencies.outputs.machineLearningWorkspaceResourceId + customPrivateSubnetName: nestedDependencies.outputs.customPrivateSubnetName + customPublicSubnetName: nestedDependencies.outputs.customPublicSubnetName + publicNetworkAccess: 'Disabled' + disablePublicIp: true + loadBalancerResourceId: nestedDependencies.outputs.loadBalancerResourceId + loadBalancerBackendPoolName: nestedDependencies.outputs.loadBalancerBackendPoolName + customVirtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.defaultSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedResourceGroupResourceId: '${subscription().id}/resourceGroups/rg-${resourceGroupName}-managed' + requireInfrastructureEncryption: true + vnetAddressPrefix: '10.100' + location: resourceGroup.location + } +} diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..41ca94022b --- /dev/null +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,29 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Host Pool to create.') +param hostPoolName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { + name: hostPoolName + location: location + properties: { + hostPoolType: 'Pooled' + loadBalancerType: 'BreadthFirst' + preferredAppGroupType: 'Desktop' + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Host Pool.') +output hostPoolName string = hostPool.name diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..115ba77ed7 --- /dev/null +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applicationgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvagmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + applicationGroupType: 'RemoteApp' + hostpoolName: nestedDependencies.outputs.hostPoolName + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + friendlyName: 'Remote Applications 1' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d48cbdcade --- /dev/null +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpools-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvhpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + description: 'My first AVD Host Pool' + friendlyName: 'AVDv2' + type: 'Pooled' + loadBalancerType: 'BreadthFirst' + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + vmTemplate: { + customImageId: null + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: null + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + agentUpdate: { + type: 'Scheduled' + useSessionHostLocalTime: false + maintenanceWindowTimeZone: 'Alaskan Standard Time' + maintenanceWindows: [ + { + hour: 7 + dayOfWeek: 'Friday' + } + { + hour: 8 + dayOfWeek: 'Saturday' + } + ] + } + } +} diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..b8426b2533 --- /dev/null +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,133 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalingplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvspmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + hostPoolType: 'Pooled' + friendlyName: 'My Scaling Plan' + description: 'My Scaling Plan Description' + schedules: [ { + rampUpStartTime: { + hour: 7 + minute: 0 + } + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownStartTime: { + hour: 18 + minute: 0 + } + offPeakStartTime: { + hour: 20 + minute: 0 + } + name: 'weekdays_schedule' + daysOfWeek: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpCapacityThresholdPct: 60 + peakLoadBalancingAlgorithm: 'DepthFirst' + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownWaitTimeMinutes: 30 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStopHostsWhen: 'ZeroSessions' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + } + ] + } +} diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8e753087b2 --- /dev/null +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,41 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Group to create.') +param applicationGroupName string + +@description('Required. The name of the Host Pool to create.') +param hostPoolName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource hostPool 'Microsoft.DesktopVirtualization/hostPools@2022-09-09' = { + name: hostPoolName + location: location + properties: { + hostPoolType: 'Pooled' + loadBalancerType: 'BreadthFirst' + preferredAppGroupType: 'Desktop' + } +} + +resource applicationGroup 'Microsoft.DesktopVirtualization/applicationGroups@2022-09-09' = { + name: applicationGroupName + location: location + properties: { + applicationGroupType: 'Desktop' + hostPoolArmPath: hostPool.id + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Group.') +output applicationGroupResourceId string = applicationGroup.id diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..565fbfe6a8 --- /dev/null +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,103 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dvwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationGroupName: 'dep-${namePrefix}-appGroup-${serviceShort}' + hostPoolName: 'dep-${namePrefix}-hp-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + appGroupResourceIds: [ + nestedDependencies.outputs.applicationGroupResourceId + ] + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + description: 'This is my first AVD Workspace' + friendlyName: 'My first AVD Workspace' + } +} diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..10d28c8ae6 --- /dev/null +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,134 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Disk Encryption Set to create.') +param diskEncryptionSetName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true // Required for encrption to work + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'encryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource diskEncryptionSet 'Microsoft.Compute/diskEncryptionSets@2021-04-01' = { + name: diskEncryptionSetName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + activeKey: { + sourceVault: { + id: keyVault.id + } + keyUrl: keyVault::key.properties.keyUriWithVersion + } + encryptionType: 'EncryptionAtRestWithCustomerKey' + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${diskEncryptionSet.id}-KeyVault-Key-Read-RoleAssignment') + scope: keyVault + properties: { + principalId: diskEncryptionSet.identity.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + publicNetworkAccess: 'Disabled' + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +@description('The name of the created Virtual Network.') +output virtualNetworkName string = virtualNetwork.name + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The name of the created Virtual Network Subnet.') +output subnetName string = virtualNetwork.properties.subnets[0].name + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Disk Encryption Set.') +output diskEncryptionSetResourceId string = diskEncryptionSet.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..302920b17e --- /dev/null +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,286 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtllmax' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}-${substring(uniqueString(baseTime), 0, 3)}' + diskEncryptionSetName: 'dep-${namePrefix}-des-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: resourceGroup.location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'DevTest Lab' + labName: '${namePrefix}${serviceShort}001' + } + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00.000Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + labStorageType: 'Premium' + artifactsStorageAccount: nestedDependencies.outputs.storageAccountResourceId + premiumDataDisks: 'Enabled' + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + managementIdentitiesResourceIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + vmCreationResourceGroupId: resourceGroup.id + browserConnect: 'Enabled' + disableAutoUpgradeCseMinorVersion: true + isolateLabResources: 'Enabled' + encryptionType: 'EncryptionAtRestWithCustomerKey' + encryptionDiskEncryptionSetId: nestedDependencies.outputs.diskEncryptionSetResourceId + virtualnetworks: [ + { + name: nestedDependencies.outputs.virtualNetworkName + externalProviderResourceId: nestedDependencies.outputs.virtualNetworkResourceId + description: 'lab virtual network description' + allowedSubnets: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + allowPublicIp: 'Allow' + } + ] + subnetOverrides: [ + { + labSubnetName: nestedDependencies.outputs.subnetName + resourceId: nestedDependencies.outputs.subnetResourceId + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + transportProtocol: 'Tcp' + backendPort: 3389 + } + { + transportProtocol: 'Tcp' + backendPort: 22 + } + ] + } + } + ] + } + ] + policies: [ + { + name: nestedDependencies.outputs.subnetName + evaluatorType: 'MaxValuePolicy' + factData: nestedDependencies.outputs.subnetResourceId + factName: 'UserOwnedLabVmCountInSubnet' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + threshold: '2' + } + { + name: 'MaxPremiumVmsAllowedPerUser' + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + status: 'Disabled' + threshold: '1' + } + { + name: 'MaxVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + threshold: '3' + } + { + name: 'MaxPremiumVmsAllowedPerLab' + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + threshold: '2' + } + { + name: 'AllowedVmSizesInLab' + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + threshold: ' ${string('["Basic_A0","Basic_A1"]')}' + status: 'Enabled' + } + { + name: 'ScheduleEditPermission' + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + threshold: ' ${string('["None","Modify"]')}' + } + { + name: 'GalleryImage' + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + threshold: ' ${string('["{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2019-Datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}","{\\"offer\\":\\"WindowsServer\\",\\"publisher\\":\\"MicrosoftWindowsServer\\",\\"sku\\":\\"2022-datacenter-smalldisk\\",\\"osType\\":\\"Windows\\",\\"version\\":\\"latest\\"}"]')}' + } + { + name: 'EnvironmentTemplate' + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + threshold: ' ${string('[""]')}' + } + ] + schedules: [ + { + name: 'LabVmsShutdown' + taskType: 'LabVmsShutdownTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + dailyRecurrence: { + time: '0000' + } + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + } + { + name: 'LabVmAutoStart' + taskType: 'LabVmsStartupTask' + status: 'Enabled' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Monday' + 'Tuesday' + 'Wednesday' + 'Thursday' + 'Friday' + ] + } + } + ] + notificationchannels: [ + { + name: 'autoShutdown' + description: 'Integration configured for auto-shutdown' + events: [ + { + eventName: 'AutoShutdown' + } + ] + emailRecipient: 'mail@contosodtlmail.com' + webHookUrl: 'https://webhook.contosotest.com' + notificationLocale: 'en' + } + { + name: 'costThreshold' + events: [ + { + eventName: 'Cost' + } + ] + webHookUrl: 'https://webhook.contosotest.com' + } + ] + artifactsources: [ + { + name: 'Public Repo' + displayName: 'Public Artifact Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + folderPath: '/Artifacts' + } + { + name: 'Public Environment Repo' + displayName: 'Public Environment Repo' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + sourceType: 'GitHub' + branchRef: 'master' + armTemplateFolderPath: '/Environments' + } + ] + costs: { + status: 'Enabled' + cycleType: 'CalendarMonth' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + } +} diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..87c0cf8a6f --- /dev/null +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,162 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Event Hub Namespace to create.') +param eventHubNamespaceName string + +@description('Required. The name of the Event Hub to create.') +param eventHubName string + +@description('Required. Service Bus name') +param serviceBusName string + +@description('Required. Event Grid Domain name.') +param eventGridDomainName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.digitaltwins.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource eventHubNamespace 'Microsoft.EventHub/namespaces@2022-10-01-preview' = { + name: eventHubNamespaceName + location: location + properties: { + zoneRedundant: false + isAutoInflateEnabled: false + maximumThroughputUnits: 0 + } + + resource eventHub 'eventhubs@2022-10-01-preview' = { + name: eventHubName + } +} + +resource serviceBus 'Microsoft.ServiceBus/namespaces@2022-10-01-preview' = { + name: serviceBusName + location: location + properties: { + zoneRedundant: false + } + + resource topic 'topics@2022-10-01-preview' = { + name: 'topic' + } +} + +resource eventGridDomain 'Microsoft.EventGrid/domains@2022-06-15' = { + name: eventGridDomainName + location: location + properties: { + disableLocalAuth: false + } + + resource topic 'topics@2022-06-15' = { + name: 'topic' + } +} + +resource eventHubNamespaceRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'evhrbacAssignment') + scope: eventHubNamespace + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '2b629674-e913-4c01-ae53-ef4638d8f975') //Azure Event Hubs Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource serviceBusRbacAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(managedIdentity.id, 'sbrbacAssignment') + scope: serviceBus + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '69a216fc-b8fb-44d8-bc22-1f3c2cd27a39') //Azure Service Bus Data Sender + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalResourceId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The name of the Event Hub Namespace.') +output eventhubNamespaceName string = eventHubNamespace.name + +@description('The resource ID of the created Event Hub Namespace.') +output eventHubResourceId string = eventHubNamespace::eventHub.id + +@description('The name of the Event Hub.') +output eventhubName string = eventHubNamespace::eventHub.name + +@description('The name of the Service Bus Namespace.') +output serviceBusName string = serviceBus.name + +@description('The name of the Service Bus Topic.') +output serviceBusTopicName string = serviceBus::topic.name + +@description('The Event Grid endpoint uri.') +output eventGridEndpoint string = eventGridDomain.properties.endpoint + +@description('The resource ID of the created Event Grid Topic.') +output eventGridTopicResourceId string = eventGridDomain::topic.id + +@description('The resource ID of the created Event Grid Domain.') +output eventGridDomainResourceId string = eventGridDomain.id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6b1f42d08a --- /dev/null +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,132 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'dtdtimax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + eventHubName: 'dt-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dt-${uniqueString(serviceShort)}-evhns-01' + serviceBusName: 'dt-${uniqueString(serviceShort)}-sb-01' + eventGridDomainName: 'dt-${uniqueString(serviceShort)}-evg-01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${uniqueString(serviceShort)}-evh-01' + eventHubNamespaceName: 'dep-${uniqueString(serviceShort)}-evh-01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.eventhubNamespaceName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.eventhubName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: 'sb://${nestedDependencies.outputs.serviceBusName}.servicebus.windows.net/' + entityPath: nestedDependencies.outputs.serviceBusTopicName + userAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + } + eventGridEndpoint: { + eventGridDomainId: nestedDependencies.outputs.eventGridDomainResourceId + topicEndpoint: nestedDependencies.outputs.eventGridEndpoint + } + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalResourceId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8ba0c35f61 --- /dev/null +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.eventgrid.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..de3be09b26 --- /dev/null +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egdmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'domain' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + topics: [ + '${namePrefix}-topic-${serviceShort}001' + ] + } +} diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9b192272d4 --- /dev/null +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Storage Queue to create.') +param storageQueueName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + + resource queueService 'queueServices@2022-09-01' = { + name: 'default' + + resource queue 'queues@2022-09-01' = { + name: storageQueueName + } + } +} + +@description('The name of the created Storage Account Queue.') +output queueName string = storageAccount::queueService::queue.name + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a1fe7d4bf5 --- /dev/null +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egstmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + storageQueueName: 'dep${namePrefix}sq${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + source: nestedDependencies.outputs.storageAccountResourceId + topicType: 'Microsoft.Storage.StorageAccounts' + eventSubscriptions: [ { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + isSubjectCaseSensitive: false + enableAdvancedFilteringOnArrays: true + } + retryPolicy: { + maxDeliveryAttempts: 10 + eventTimeToLive: '120' + } + eventDeliverySchema: 'CloudEventSchemaV1_0' + destination: { + endpointType: 'StorageQueue' + properties: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + queueMessageTimeToLiveInSeconds: 86400 + queueName: nestedDependencies.outputs.queueName + } + } + } ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..448380e27d --- /dev/null +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,89 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Storage Queue to create.') +param storageQueueName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.eventgrid.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + + resource queueService 'queueServices@2022-09-01' = { + name: 'default' + + resource queue 'queues@2022-09-01' = { + name: storageQueueName + } + } +} + +@description('The name of the created Storage Account Queue.') +output queueName string = storageAccount::queueService::queue.name + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..3ca8f6121e --- /dev/null +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,145 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'egtmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + storageQueueName: 'dep${namePrefix}sq${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + eventSubscriptions: [ { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + isSubjectCaseSensitive: false + enableAdvancedFilteringOnArrays: true + } + retryPolicy: { + maxDeliveryAttempts: 10 + eventTimeToLive: '120' + } + eventDeliverySchema: 'CloudEventSchemaV1_0' + destination: { + endpointType: 'StorageQueue' + properties: { + resourceId: nestedDependencies.outputs.storageAccountResourceId + queueMessageTimeToLiveInSeconds: 86400 + queueName: nestedDependencies.outputs.queueName + } + } + } ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'topic' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..6bc7e40df9 --- /dev/null +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,83 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.EventHub' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..edfc8d7534 --- /dev/null +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,228 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ehnmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + zoneRedundant: true + skuName: 'Standard' + skuCapacity: 2 + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + eventhubs: [ + { + name: '${namePrefix}-az-evh-x-001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: '${namePrefix}-az-evh-x-002' + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' + captureDescriptionDestinationBlobContainer: 'eventhub' + captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' + captureDescriptionDestinationStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + captureDescriptionEnabled: true + captureDescriptionEncoding: 'Avro' + captureDescriptionIntervalInSeconds: 300 + captureDescriptionSizeLimitInBytes: 314572800 + captureDescriptionSkipEmptyArchives: true + consumergroups: [ + { + name: 'custom' + userMetadata: 'customMetadata' + } + ] + messageRetentionInDays: 1 + partitionCount: 2 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + status: 'Active' + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 + } + { + name: '${namePrefix}-az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.10.10.10' + } + ] + trustedServiceAccessEnabled: false + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + kafkaEnabled: true + disableLocalAuth: true + isAutoInflateEnabled: true + minimumTlsVersion: '1.2' + maximumThroughputUnits: 4 + publicNetworkAccess: 'Disabled' + } +} diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..539240be2b --- /dev/null +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5f1fafa9ee --- /dev/null +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'hbhbmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + sku: 'F0' + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + } +} diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..96f9aff771 --- /dev/null +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,74 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Event Hub Namespace to create.') +param eventHubNamespaceName string + +@description('Required. The name of the Event Hub consumer group to create.') +param eventHubConsumerGroupName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-05-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource ehns 'Microsoft.EventHub/namespaces@2022-01-01-preview' = { + name: eventHubNamespaceName + location: location + sku: { + name: 'Standard' + tier: 'Standard' + capacity: 1 + } + properties: { + zoneRedundant: false + isAutoInflateEnabled: false + } + + resource eventhub 'eventhubs@2022-01-01-preview' = { + name: '${eventHubNamespaceName}-hub' + properties: { + messageRetentionInDays: 1 + partitionCount: 1 + } + + resource consumergroup 'consumergroups@2022-01-01-preview' = { + name: eventHubConsumerGroupName + } + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Event Hub Namespace.') +output eventHubNamespaceResourceId string = ehns.id + +@description('The name of the created Event Hub Namespace.') +output eventHubNamespaceName string = ehns.name + +@description('The resource ID of the created Event Hub.') +output eventHubResourceId string = ehns::eventhub.id + +@description('The name of the created Event Hub.') +output eventHubName string = ehns::eventhub.name diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5e4f905ce5 --- /dev/null +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,169 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'hawmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + eventHubConsumerGroupName: '${namePrefix}-az-iomt-x-001' + eventHubNamespaceName: 'dep-${namePrefix}-ehns-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + location: location + publicNetworkAccess: 'Enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + fhirservices: [ + { + name: '${namePrefix}-az-fhir-x-001' + kind: 'fhir-R4' + workspaceName: '${namePrefix}${serviceShort}001' + corsOrigins: [ '*' ] + corsHeaders: [ '*' ] + corsMethods: [ 'GET' ] + corsMaxAge: 600 + corsAllowCredentials: false + location: location + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + publicNetworkAccess: 'Enabled' + resourceVersionPolicy: 'versioned' + smartProxyEnabled: false + enableDefaultTelemetry: enableDefaultTelemetry + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + importEnabled: false + initialImportMode: false + roleAssignments: [ + { + roleDefinitionIdOrName: resourceId('Microsoft.Authorization/roleDefinitions', '5a1fc7df-4bf1-4951-a576-89034ee01acd') + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + ] + dicomservices: [ + { + name: '${namePrefix}-az-dicom-x-001' + workspaceName: '${namePrefix}${serviceShort}001' + corsOrigins: [ '*' ] + corsHeaders: [ '*' ] + corsMethods: [ 'GET' ] + corsMaxAge: 600 + corsAllowCredentials: false + location: location + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + publicNetworkAccess: 'Enabled' + enableDefaultTelemetry: enableDefaultTelemetry + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/insights/action-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7a156298a2 --- /dev/null +++ b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,88 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iagmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + groupShortName: 'ag${serviceShort}001' + emailReceivers: [ + { + emailAddress: 'test.user@testcompany.com' + name: 'TestUser_-EmailAction-' + useCommonAlertSchema: true + } + { + emailAddress: 'test.user2@testcompany.com' + name: 'TestUser2' + useCommonAlertSchema: true + } + ] + smsReceivers: [ + { + countryCode: '1' + name: 'TestUser_-SMSAction-' + phoneNumber: '2345678901' + } + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f031089363 --- /dev/null +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,28 @@ +@description('Required. The name of the Action Group to create.') +param actionGroupName string + +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { + name: actionGroupName + location: 'global' + properties: { + groupShortName: substring(replace(actionGroupName, '-', ''), 0, 11) + enabled: true + } +} + +@description('The resource ID of the created Action Group.') +output actionGroupResourceId string = actionGroup.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..74452e4c5f --- /dev/null +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ialamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + conditions: [ + { + field: 'category' + equals: 'ServiceHealth' + } + { + anyOf: [ + { + field: 'properties.incidentType' + equals: 'Incident' + } + { + field: 'properties.incidentType' + equals: 'Maintenance' + } + ] + } + { + field: 'properties.impactedServices[*].ServiceName' + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] + } + { + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' + containsAny: [ + 'West Europe' + 'Global' + ] + } + ] + actions: [ + { + actionGroupId: nestedDependencies.outputs.actionGroupResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scopes: [ + subscription().id + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/insights/component/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e272985a9c --- /dev/null +++ b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,97 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.components-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'icmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d16e1031b1 --- /dev/null +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0bcea4cb4a --- /dev/null +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'idcemax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module resourceGroupResources 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + publicNetworkAccess: 'Enabled' + kind: 'Windows' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: resourceGroupResources.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Data Collection Rules' + kind: 'Windows' + } + } +} diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..b26c05e269 --- /dev/null +++ b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,70 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'idsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } +} diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..eb23eca835 --- /dev/null +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,29 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Action Group to create.') +param actionGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource actionGroup 'Microsoft.Insights/actionGroups@2022-06-01' = { + name: actionGroupName + location: 'global' + + properties: { + enabled: true + groupShortName: substring(actionGroupName, 0, 11) + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Action Group.') +output actionGroupResourceId string = actionGroup.id diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f9cc7d5482 --- /dev/null +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,87 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'imamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + actionGroupName: 'dep-${namePrefix}-ag-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + criterias: [ + { + criterionType: 'StaticThresholdCriterion' + metricName: 'Percentage CPU' + metricNamespace: 'microsoft.compute/virtualmachines' + name: 'HighCPU' + operator: 'GreaterThan' + threshold: '90' + timeAggregation: 'Average' + } + ] + actions: [ + nestedDependencies.outputs.actionGroupResourceId + ] + alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + targetResourceRegion: 'westeurope' + targetResourceType: 'microsoft.compute/virtualmachines' + windowSize: 'PT15M' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..e09c9b5a0c --- /dev/null +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,71 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.monitor.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-12-01-preview' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..6b92ace5e2 --- /dev/null +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,89 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iplsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-la-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + scopedResources: [ + { + name: 'scoped1' + linkedResourceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9e9a8f2510 --- /dev/null +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d8bc06cf5e --- /dev/null +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'isqrmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + alertDescription: 'My sample Alert' + autoMitigate: false + criterias: { + allOf: [ + { + dimensions: [ + { + name: 'Computer' + operator: 'Include' + values: [ + '*' + ] + } + { + name: 'InstanceName' + operator: 'Include' + values: [ + '*' + ] + } + ] + metricMeasureColumn: 'AggregatedValue' + operator: 'GreaterThan' + query: 'Perf | where ObjectName == "LogicalDisk" | where CounterName == "% Free Space" | where InstanceName <> "HarddiskVolume1" and InstanceName <> "_Total" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)' + threshold: 0 + timeAggregation: 'Average' + } + ] + } + evaluationFrequency: 'PT5M' + queryTimeRange: 'PT5M' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scopes: [ + nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + ] + suppressForMinutes: 'PT5M' + windowSize: 'PT5M' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..79e003515d --- /dev/null +++ b/modules/insights/webtest/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,26 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param appInsightName string + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +resource appInsight 'Microsoft.Insights/components@2020-02-02' = { + name: appInsightName + location: location + kind: 'web' + properties: { + Application_Type: 'web' + WorkspaceResourceId: logAnalyticsWorkspace.id + } +} + +@description('The resource ID of the created Log Analytics Workspace.') +output appInsightResourceId string = appInsight.id diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1a552a552b --- /dev/null +++ b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'iwtmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + appInsightName: 'dep-${namePrefix}-appi-${serviceShort}' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' + } + enableDefaultTelemetry: enableDefaultTelemetry + webTestName: 'wt${namePrefix}$${serviceShort}001' + syntheticMonitorId: '${namePrefix}${serviceShort}001' + locations: [ + { + Id: 'emea-nl-ams-azr' + } + ] + request: { + RequestUrl: 'https://learn.microsoft.com/en-us/' + HttpVerb: 'GET' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + } +} diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..6c3754d07f --- /dev/null +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,65 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.KeyVault' + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..16392f9744 --- /dev/null +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,189 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kvvmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}002' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + // Only for testing purposes + enablePurgeProtection: false + enableRbacAuthorization: true + keys: [ + { + attributesExp: 1725109032 + attributesNbf: 10000 + name: 'keyName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + rotationPolicy: { + attributes: { + expiryTime: 'P2Y' + } + lifetimeActions: [ + { + trigger: { + timeBeforeExpiry: 'P2M' + } + action: { + type: 'Rotate' + } + } + { + trigger: { + timeBeforeExpiry: 'P30D' + } + action: { + type: 'Notify' + } + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: nestedDependencies.outputs.subnetResourceId + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'vault' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + secrets: { + secureList: [ + { + attributesExp: 1702648632 + attributesNbf: 10000 + contentType: 'Something' + name: 'secretName' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + value: 'secretValue' + } + ] + } + softDeleteRetentionInDays: 7 + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0169763539 --- /dev/null +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,32 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the AKS cluster to create.') +param clusterName string + +@description('Required. The name of the AKS cluster nodes resource group to create.') +param clusterNodeResourceGroupName string + +resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { + name: clusterName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + dnsPrefix: clusterName + nodeResourceGroup: clusterNodeResourceGroupName + agentPoolProfiles: [ + { + name: 'agentpool' + count: 1 + vmSize: 'Standard_DS2_v2' + osType: 'Linux' + mode: 'System' + } + ] + } +} + +@description('The name of the created AKS cluster.') +output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c371a3c0d2 --- /dev/null +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,84 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.extensions-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kcemax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + clusterName: 'dep-${namePrefix}-aks-${serviceShort}' + clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + clusterName: nestedDependencies.outputs.clusterName + extensionType: 'microsoft.flux' + configurationSettings: { + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'false' + 'source-controller.enabled': 'true' + } + releaseNamespace: 'flux-system' + releaseTrain: 'Stable' + version: '0.5.2' + fluxConfigurations: [ + { + namespace: 'flux-system' + scope: 'cluster' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + } + ] + } +} diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0bf942bbd1 --- /dev/null +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,49 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the AKS cluster to create.') +param clusterName string + +@description('Required. The name of the AKS cluster extension to create.') +param clusterExtensionName string + +@description('Required. The name of the AKS cluster nodes resource group to create.') +param clusterNodeResourceGroupName string + +resource cluster 'Microsoft.ContainerService/managedClusters@2022-07-01' = { + name: clusterName + location: location + identity: { + type: 'SystemAssigned' + } + properties: { + dnsPrefix: clusterName + nodeResourceGroup: clusterNodeResourceGroupName + agentPoolProfiles: [ + { + name: 'agentpool' + count: 1 + vmSize: 'Standard_DS2_v2' + osType: 'Linux' + mode: 'System' + } + ] + } +} + +resource extension 'Microsoft.KubernetesConfiguration/extensions@2022-03-01' = { + scope: cluster + name: clusterExtensionName + properties: { + extensionType: 'microsoft.flux' + releaseTrain: 'Stable' + scope: { + cluster: { + releaseNamespace: 'flux-system' + } + } + } +} + +@description('The name of the created AKS cluster.') +output clusterName string = cluster.name diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..9a9c757de1 --- /dev/null +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,81 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.fluxconfigurations-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'kcfcmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + clusterName: 'dep-${namePrefix}-aks-${serviceShort}' + clusterExtensionName: '${namePrefix}${serviceShort}001' + clusterNodeResourceGroupName: 'nodes-${resourceGroupName}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + clusterName: nestedDependencies.outputs.clusterName + namespace: 'flux-system' + scope: 'cluster' + sourceKind: 'GitRepository' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } + } +} diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..0f0755a6f4 --- /dev/null +++ b/modules/logic/workflow/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,16 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5ab05e3420 --- /dev/null +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,136 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'lwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..4f7b46494d --- /dev/null +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,134 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Insights instance to create.') +param applicationInsightsName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVaultServicePermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Contributor-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalType: 'ServicePrincipal' + } +} +resource keyVaultDataPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault.id}-${location}-${managedIdentity.id}-KeyVault-Data-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource applicationInsights 'Microsoft.Insights/components@2020-02-02' = { + name: applicationInsightsName + location: location + kind: '' + properties: {} +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.api.azureml.ms' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Application Insights instance.') +output applicationInsightsResourceId string = applicationInsights.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ba4a782be3 --- /dev/null +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,162 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mlswmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + applicationInsightsName: 'dep-${namePrefix}-appi-${serviceShort}' + storageAccountName: 'dep${namePrefix}st${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + associatedApplicationInsightsResourceId: nestedDependencies.outputs.applicationInsightsResourceId + associatedKeyVaultResourceId: nestedDependencies.outputs.keyVaultResourceId + associatedStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + sku: 'Premium' + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' + disableLocalAuth: false + location: 'westeurope' + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + sku: 'Basic' + // Must be false if `primaryUserAssignedIdentity` is provided + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + } + ] + description: 'The cake is a lie.' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + discoveryUrl: 'http://example.com' + imageBuildCompute: 'testcompute' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentity: nestedDependencies.outputs.managedIdentityResourceId + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..980dcf5100 --- /dev/null +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfigurations-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mmcmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + extensionProperties: { + InGuestPatchMode: 'User' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + maintenanceScope: 'InGuestPatch' + maintenanceWindow: { + duration: '03:00' + expirationDateTime: '9999-12-31 23:59:59' + recurEvery: 'Day' + startDateTime: '2022-12-31 13:00' + timeZone: 'W. Europe Standard Time' + } + namespace: '${serviceShort}ns' + visibility: 'Custom' + installPatches: { + linuxParameters: { + classificationsToInclude: null + packageNameMasksToExclude: null + packageNameMasksToInclude: null + } + rebootSetting: 'IfRequired' + windowsParameters: { + classificationsToInclude: [ + 'Critical' + 'Security' + ] + kbNumbersToExclude: null + kbNumbersToInclude: null + } + } + } +} diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bd4e76dc48 --- /dev/null +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,82 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassignedidentities-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'miuaimax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + federatedIdentityCredentials: [ + { + name: 'test-fed-cred-${serviceShort}-001' + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: 'https://contoso.com/${subscription().tenantId}/${guid(deployment().name)}/' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..09e848751a --- /dev/null +++ b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,48 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'msrdmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: 'Component Validation - ${namePrefix}${serviceShort} Subscription assignment' + authorizations: [ + { + principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' + principalIdDisplayName: 'ResourceModules-Reader' + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' + principalIdDisplayName: 'ResourceModules-Contributor' + roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' + principalIdDisplayName: 'ResourceModules-LHManagement' + roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' + } + ] + managedByTenantId: '<< SET YOUR TENANT ID HERE >>' + registrationDescription: 'Managed by Lighthouse' + } +} diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..41256aa624 --- /dev/null +++ b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,31 @@ +targetScope = 'managementGroup' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'mmgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + displayName: 'Test MG' + parentId: last(split(managementGroup().id, '/')) + } +} diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a06afa8f68 --- /dev/null +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWebApplicationFirewallPolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagwafpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + policySettings: { + fileUploadLimitInMb: 10 + state: 'Enabled' + mode: 'Prevention' + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'OWASP' + ruleSetVersion: '3.2' + ruleGroupOverrides: [] + } + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '0.1' + ruleGroupOverrides: [] + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..2de1a81653 --- /dev/null +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,146 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Deployment Script to create for the Certificate generation.') +param certDeploymentScriptName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 0) + } + } + { + name: 'privateLinkSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, 1) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.appgateway.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${managedIdentity.name}-KeyVault-Admin-RoleAssignment') + scope: keyVault + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', '00482a5a-887f-4fb3-b363-3b7fe8e74483') // Key Vault Administrator + principalType: 'ServicePrincipal' + } +} + +resource certDeploymentScript 'Microsoft.Resources/deploymentScripts@2020-10-01' = { + name: certDeploymentScriptName + location: location + kind: 'AzurePowerShell' + identity: { + type: 'UserAssigned' + userAssignedIdentities: { + '${managedIdentity.id}': {} + } + } + properties: { + azPowerShellVersion: '8.0' + retentionInterval: 'P1D' + arguments: '-KeyVaultName "${keyVault.name}" -CertName "applicationGatewaySslCertificate"' + scriptContent: loadTextContent('../../../../../.shared/.scripts/Set-CertificateInKeyVault.ps1') + } +} + +@description('The resource ID of the created Virtual Network default subnet.') +output defaultSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Virtual Network private link subnet.') +output privateLinkSubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The URL of the created certificate.') +output certificateSecretUrl string = certDeploymentScript.properties.outputs.secretUrl + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..9359135a3f --- /dev/null +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,498 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + certDeploymentScriptName: 'dep-${namePrefix}-ds-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var appGWName = '${namePrefix}${serviceShort}001' +var appGWExpectedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/applicationGateways/${appGWName}' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: appGWName + backendAddressPools: [ + { + name: 'appServiceBackendPool' + properties: { + backendAddresses: [ + { + fqdn: 'aghapp.azurewebsites.net' + } + ] + } + } + { + name: 'privateVmBackendPool' + properties: { + backendAddresses: [ + { + ipAddress: '10.0.0.4' + } + ] + } + } + ] + backendHttpSettingsCollection: [ + { + name: 'appServiceBackendHttpsSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: true + port: 443 + protocol: 'Https' + requestTimeout: 30 + } + } + { + name: 'privateVmHttpSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: false + port: 80 + probe: { + id: '${appGWExpectedResourceID}/probes/privateVmHttpSettingProbe' + } + protocol: 'Http' + requestTimeout: 30 + } + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableHttp2: true + privateLinkConfigurations: [ + { + name: 'pvtlink01' + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' + properties: { + ipConfigurations: [ + { + name: 'privateLinkIpConfig1' + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01/ipConfigurations/privateLinkIpConfig1' + properties: { + privateIPAllocationMethod: 'Dynamic' + primary: false + subnet: { + id: nestedDependencies.outputs.privateLinkSubnetResourceId + } + } + } + ] + } + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'public' + subnetResourceId: nestedDependencies.outputs.privateLinkSubnetResourceId + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + frontendIPConfigurations: [ + { + name: 'private' + properties: { + privateIPAddress: '10.0.0.20' + privateIPAllocationMethod: 'Static' + subnet: { + id: nestedDependencies.outputs.defaultSubnetResourceId + } + } + } + { + name: 'public' + properties: { + privateIPAllocationMethod: 'Dynamic' + publicIPAddress: { + id: nestedDependencies.outputs.publicIPResourceId + } + privateLinkConfiguration: { + id: '${appGWExpectedResourceID}/privateLinkConfigurations/pvtlink01' + } + } + } + ] + frontendPorts: [ + { + name: 'port443' + properties: { + port: 443 + } + } + { + name: 'port4433' + properties: { + port: 4433 + } + } + { + name: 'port80' + properties: { + port: 80 + } + } + { + name: 'port8080' + properties: { + port: 8080 + } + } + ] + gatewayIPConfigurations: [ + { + name: 'apw-ip-configuration' + properties: { + subnet: { + id: nestedDependencies.outputs.defaultSubnetResourceId + } + } + } + ] + httpListeners: [ + { + name: 'public443' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port443' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' + } + } + } + { + name: 'private4433' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port4433' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '${appGWExpectedResourceID}/sslCertificates/${namePrefix}-az-apgw-x-001-ssl-certificate' + } + } + } + { + name: 'httpRedirect80' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/public' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port80' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + { + name: 'httpRedirect8080' + properties: { + frontendIPConfiguration: { + id: '${appGWExpectedResourceID}/frontendIPConfigurations/private' + } + frontendPort: { + id: '${appGWExpectedResourceID}/frontendPorts/port8080' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + probes: [ + { + name: 'privateVmHttpSettingProbe' + properties: { + host: '10.0.0.4' + interval: 60 + match: { + statusCodes: [ + '200' + '401' + ] + } + minServers: 3 + path: '/' + pickHostNameFromBackendHttpSettings: false + protocol: 'Http' + timeout: 15 + unhealthyThreshold: 5 + } + } + ] + redirectConfigurations: [ + { + name: 'httpRedirect80' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect80-public443' + } + ] + targetListener: { + id: '${appGWExpectedResourceID}/httpListeners/public443' + } + } + } + { + name: 'httpRedirect8080' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '${appGWExpectedResourceID}/requestRoutingRules/httpRedirect8080-private4433' + } + ] + targetListener: { + id: '${appGWExpectedResourceID}/httpListeners/private4433' + } + } + } + ] + requestRoutingRules: [ + { + name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' + properties: { + backendAddressPool: { + id: '${appGWExpectedResourceID}/backendAddressPools/appServiceBackendPool' + } + backendHttpSettings: { + id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/appServiceBackendHttpsSetting' + } + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/public443' + } + priority: 200 + ruleType: 'Basic' + } + } + { + name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' + properties: { + backendAddressPool: { + id: '${appGWExpectedResourceID}/backendAddressPools/privateVmBackendPool' + } + backendHttpSettings: { + id: '${appGWExpectedResourceID}/backendHttpSettingsCollection/privateVmHttpSetting' + } + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/private4433' + } + priority: 250 + ruleType: 'Basic' + } + } + { + name: 'httpRedirect80-public443' + properties: { + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/httpRedirect80' + } + priority: 300 + redirectConfiguration: { + id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect80' + } + ruleType: 'Basic' + } + } + { + name: 'httpRedirect8080-private4433' + properties: { + httpListener: { + id: '${appGWExpectedResourceID}/httpListeners/httpRedirect8080' + } + priority: 350 + redirectConfiguration: { + id: '${appGWExpectedResourceID}/redirectConfigurations/httpRedirect8080' + } + ruleType: 'Basic' + rewriteRuleSet: { + id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' + } + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'WAF_v2' + sslCertificates: [ + { + name: '${namePrefix}-az-apgw-x-001-ssl-certificate' + properties: { + keyVaultSecretId: nestedDependencies.outputs.certificateSecretUrl + } + } + ] + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + rewriteRuleSets: [ + { + name: 'customRewrite' + id: '${appGWExpectedResourceID}/rewriteRuleSets/customRewrite' + properties: { + rewriteRules: [ + { + ruleSequence: 100 + conditions: [] + name: 'NewRewrite' + actionSet: { + requestHeaderConfigurations: [ + { + headerName: 'Content-Type' + headerValue: 'JSON' + } + { + headerName: 'someheader' + } + ] + responseHeaderConfigurations: [] + } + } + ] + } + } + ] + webApplicationFirewallConfiguration: { + enabled: true + fileUploadLimitInMb: 100 + firewallMode: 'Detection' + maxRequestBodySizeInKb: 128 + requestBodyCheck: true + ruleSetType: 'OWASP' + ruleSetVersion: '3.0' + disabledRuleGroups: [ + { + ruleGroupName: 'Known-CVEs' + } + { + ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' + } + { + ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' + } + ] + exclusions: [ + { + matchVariable: 'RequestHeaderNames' + selectorMatchOperator: 'StartsWith' + selector: 'hola' + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..338980479c --- /dev/null +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecuritygroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nasgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..de9bfec4ea --- /dev/null +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,64 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'AzureFirewallSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } + zones: [ + '1' + '2' + '3' + ] +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..654c2e950c --- /dev/null +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,190 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nafmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + vNetId: nestedDependencies.outputs.virtualNetworkResourceId + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + name: 'allow-ase-tags' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + } + { + name: 'allow-ase-management' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + targetFqdns: [ + 'bing.com' + ] + } + ] + } + } + ] + publicIPResourceID: nestedDependencies.outputs.publicIPResourceId + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '12000' + '123' + ] + name: 'allow-ntp' + protocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + } + ] + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c25af5e3e7 --- /dev/null +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,59 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'AzureBastionSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c601028796 --- /dev/null +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nbhmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + vNetId: nestedDependencies.outputs.virtualNetworkResourceId + bastionSubnetPublicIpResourceId: nestedDependencies.outputs.publicIPResourceId + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + disableCopyPaste: true + enableFileCopy: false + enableIpConnect: false + enableShareableLink: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + scaleUnits: 4 + skuName: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5ef4541d51 --- /dev/null +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,72 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndppmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d1fb3445ee --- /dev/null +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,81 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the DNS Resolver to create.') +param dnsResolverName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 25, i) + delegations: [ + { + name: 'dnsdel' + properties: { + serviceName: 'Microsoft.Network/dnsResolvers' + } + } + ] + } + }) + } +} + +resource dnsResolver 'Microsoft.Network/dnsResolvers@2022-07-01' = { + name: dnsResolverName + location: location + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + + } +} + +resource outboundEndpoints 'Microsoft.Network/dnsResolvers/outboundEndpoints@2022-07-01' = { + name: 'pdnsout' + location: location + parent: dnsResolver + properties: { + subnet: { + id: virtualNetwork.properties.subnets[1].id + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created DNS Resolver.') +output dnsResolverOutboundEndpointsId string = outboundEndpoints.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..62b410d4e1 --- /dev/null +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,94 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndfrsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + dnsResolverName: 'dep-${namePrefix}-ndr-${serviceShort}' + location: location + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + dnsResolverOutboundEndpointResourceIds: [ + nestedDependencies.outputs.dnsResolverOutboundEndpointsId + ] + vNetLinks: [ + nestedDependencies.outputs.virtualNetworkResourceId + ] + forwardingRules: [ + { + name: 'rule1' + forwardingRuleState: 'Enabled' + domainName: 'contoso.' + targetDnsServers: [ + { + ipAddress: '192.168.0.1' + port: '53' + } + ] + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7a174f0fc2 --- /dev/null +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 25, i) + delegations: [ + { + name: 'dnsdel' + properties: { + serviceName: 'Microsoft.Network/dnsResolvers' + } + } + ] + } + }) + } +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkId string = virtualNetwork.id + +@description('The resource ID of the created inbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsIn string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created outbound endpoint Virtual Network Subnet.') +output subnetResourceId_dnsOut string = virtualNetwork.properties.subnets[1].id diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a15b78dbf0 --- /dev/null +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,75 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndrmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + virtualNetworkId: nestedDependencies.outputs.virtualNetworkId + inboundEndpoints: [ + { + name: '${namePrefix}-az-pdnsin-x-001' + subnetId: nestedDependencies.outputs.subnetResourceId_dnsIn + } + ] + outboundEndpoints: [ + { + name: '${namePrefix}-az-pdnsout-x-001' + subnetId: nestedDependencies.outputs.subnetResourceId_dnsOut + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..22bd417624 --- /dev/null +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,37 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Traffic Manager Profile to create.') +param trafficManagerProfileName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource trafficManagerProfile 'Microsoft.Network/trafficmanagerprofiles@2022-04-01-preview' = { + name: trafficManagerProfileName + location: 'global' + properties: { + trafficRoutingMethod: 'Performance' + maxReturn: 0 + dnsConfig: { + relativeName: trafficManagerProfileName + ttl: 60 + } + monitorConfig: { + protocol: 'HTTP' + port: 80 + path: '/' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Traffic Manager Profile.') +output trafficManagerProfileResourceId string = trafficManagerProfile.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..f1ec3b4b4a --- /dev/null +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,222 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ndzmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + trafficManagerProfileName: 'dep-${namePrefix}-tmp-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001.com' + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + { + name: 'CNAME_aliasRecordSet' + targetResourceId: nestedDependencies.outputs.trafficManagerProfileResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soaRecord: { + email: 'azuredns-hostmaster.microsoft.com' + expireTime: 2419200 + host: 'ns1-04.azure-dns.com.' + minimumTtl: 300 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..3243abdb14 --- /dev/null +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,106 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nercmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + bandwidthInMbps: 50 + peeringLocation: 'Amsterdam' + serviceProviderName: 'Equinix' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuFamily: 'MeteredData' + skuTier: 'Standard' + allowClassicOperations: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..acaa3b4df8 --- /dev/null +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,38 @@ +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the virtual Hub to create.') +param virtualHubName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2023-04-01' = { + name: virtualHubName + location: location + properties: { + addressPrefix: '10.0.0.0/16' + virtualWan: { + id: virtualWan.id + } + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1578837962 --- /dev/null +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,75 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nergmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vwan-${serviceShort}' + virtualHubName: 'dep-${namePrefix}-hub-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + tags: { + 'hidden-title': 'This is visible in the resource name' + hello: 'world' + } + autoScaleConfigurationBoundsMin: 2 + autoScaleConfigurationBoundsMax: 3 + virtualHubId: nestedDependencies.outputs.virtualHubResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..880b8de836 --- /dev/null +++ b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,93 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nfpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ruleCollectionGroups: [ + { + name: '${namePrefix}-rule-001' + priority: 5000 + ruleCollections: [ + { + action: { + type: 'Allow' + } + name: 'collection002' + priority: 5555 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationFqdns: [] + destinationIpGroups: [] + destinationPorts: [ + '80' + ] + ipProtocols: [ + 'TCP' + 'UDP' + ] + name: 'rule002' + ruleType: 'NetworkRule' + sourceAddresses: [ + '*' + ] + sourceIpGroups: [] + } + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + allowSqlRedirect: true + autoLearnPrivateRanges: 'Enabled' + } +} diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7b3d4e8fb0 --- /dev/null +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..7bce666da5 --- /dev/null +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,135 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicationFirewallPolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nagwafpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + sku: 'Premium_AzureFrontDoor' + policySettings: { + mode: 'Prevention' + redirectUrl: 'http://www.bing.com' + customBlockResponseStatusCode: 200 + customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' + } + customRules: { + rules: [ + { + name: 'CustomRule1' + priority: 2 + enabledState: 'Enabled' + action: 'Block' + ruleType: 'MatchRule' + rateLimitDurationInMinutes: 1 + rateLimitThreshold: 10 + matchConditions: [ + { + matchVariable: 'RemoteAddr' + selector: null + operator: 'GeoMatch' + negateCondition: false + transforms: [] + matchValue: [ + 'CH' + ] + } + { + matchVariable: 'RequestHeader' + selector: 'UserAgent' + operator: 'Contains' + negateCondition: false + transforms: [] + matchValue: [ + 'windows' + ] + } + { + matchVariable: 'QueryString' + operator: 'Contains' + negateCondition: false + transforms: [ + 'UrlDecode' + 'Lowercase' + ] + matchValue: [ + '' + ] + } + ] + } + ] + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '1.0' + } + ] + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/front-door/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bb77bb9c3e --- /dev/null +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,161 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nfdmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +var resourceName = '${namePrefix}${serviceShort}001' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: resourceName + backendPools: [ + { + name: 'backendPool' + properties: { + backends: [ + { + address: 'biceptest.local' + backendHostHeader: 'backendAddress' + enabledState: 'Enabled' + httpPort: 80 + httpsPort: 443 + priority: 1 + privateLinkAlias: '' + privateLinkApprovalMessage: '' + privateLinkLocation: '' + privateLinkResourceId: '' + weight: 50 + } + ] + HealthProbeSettings: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/HealthProbeSettings/heathProbe' + } + LoadBalancingSettings: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/LoadBalancingSettings/loadBalancer' + } + } + } + ] + enforceCertificateNameCheck: 'Disabled' + frontendEndpoints: [ + { + name: 'frontEnd' + properties: { + hostName: '${resourceName}.${environment().suffixes.azureFrontDoorEndpointSuffix}' + sessionAffinityEnabledState: 'Disabled' + sessionAffinityTtlSeconds: 60 + } + } + ] + healthProbeSettings: [ + { + name: 'heathProbe' + properties: { + enabledState: '' + healthProbeMethod: '' + intervalInSeconds: 60 + path: '/' + protocol: 'Https' + } + } + ] + loadBalancingSettings: [ + { + name: 'loadBalancer' + properties: { + additionalLatencyMilliseconds: 0 + sampleSize: 50 + successfulSamplesRequired: 1 + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + routingRules: [ + { + name: 'routingRule' + properties: { + acceptedProtocols: [ + 'Http' + 'Https' + ] + enabledState: 'Enabled' + frontendEndpoints: [ + { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/FrontendEndpoints/frontEnd' + } + ] + patternsToMatch: [ + '/*' + ] + routeConfiguration: { + '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' + backendPool: { + id: '${resourceGroup.id}/providers/Microsoft.Network/frontDoors/${resourceName}/BackendPools/backendPool' + } + forwardingProtocol: 'MatchRequest' + } + } + } + ] + sendRecvTimeoutSeconds: 10 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/ip-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..568ddb0caa --- /dev/null +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nigmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipAddresses: [ + '10.0.0.1' + '10.0.0.2' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c54f364b82 --- /dev/null +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,36 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Public IP to create.') +param publicIPName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource publicIP 'Microsoft.Network/publicIPAddresses@2023-04-01' = { + name: publicIPName + location: location + sku: { + name: 'Standard' + tier: 'Regional' + } + properties: { + publicIPAllocationMethod: 'Static' + } + zones: [ + '1' + '2' + '3' + ] +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Public IP.') +output publicIPResourceId string = publicIP.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..9d7f2ac2d5 --- /dev/null +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nlbmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + publicIPName: 'dep-${namePrefix}-pip-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + frontendIPConfigurations: [ + { + name: 'publicIPConfig1' + publicIPAddressId: nestedDependencies.outputs.publicIPResourceId + } + ] + backendAddressPools: [ + { + name: 'backendAddressPool1' + } + { + name: 'backendAddressPool2' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + inboundNatRules: [ + { + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 443 + idleTimeoutInMinutes: 4 + name: 'inboundNatRule1' + protocol: 'Tcp' + } + { + backendPort: 3389 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 3389 + name: 'inboundNatRule2' + } + ] + loadBalancingRules: [ + { + backendAddressPoolName: 'backendAddressPool1' + backendPort: 80 + disableOutboundSnat: true + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 80 + idleTimeoutInMinutes: 5 + loadDistribution: 'Default' + name: 'publicIPLBRule1' + probeName: 'probe1' + protocol: 'Tcp' + } + { + backendAddressPoolName: 'backendAddressPool2' + backendPort: 8080 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 8080 + loadDistribution: 'Default' + name: 'publicIPLBRule2' + probeName: 'probe2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + outboundRules: [ + { + allocatedOutboundPorts: 63984 + backendAddressPoolName: 'backendAddressPool1' + frontendIPConfigurationName: 'publicIPConfig1' + name: 'outboundRule1' + } + ] + probes: [ + { + intervalInSeconds: 10 + name: 'probe1' + numberOfProbes: 5 + port: 80 + protocol: 'Tcp' + } + { + name: 'probe2' + port: 443 + protocol: 'Https' + requestPath: '/' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c320c4dba1 --- /dev/null +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,78 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nlngmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + localAddressPrefixes: [ + '192.168.1.0/24' + ] + localGatewayPublicIpAddress: '8.8.8.8' + localAsn: '65123' + localBgpPeeringAddress: '192.168.1.5' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..36cd281d6e --- /dev/null +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,118 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nngmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAddressObjects: [ + { + name: '${namePrefix}${serviceShort}001-pip' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b3a10d32f6 --- /dev/null +++ b/modules/network/network-interface/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,113 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +@description('Required. The name of the Load Balancer Backend Address Pool to create.') +param loadBalancerName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + sku: { + name: 'Standard' + } + + properties: { + frontendIPConfigurations: [ + { + name: 'privateIPConfig1' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } + + resource backendPool 'backendAddressPools@2022-01-01' = { + name: 'default' + } +} + +resource inboundNatRule 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { + name: 'inboundNatRule1' + properties: { + frontendPort: 443 + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfiguration: { + id: loadBalancer.properties.frontendIPConfigurations[0].id + } + idleTimeoutInMinutes: 4 + protocol: 'Tcp' + } + parent: loadBalancer +} + +resource inboundNatRule2 'Microsoft.Network/loadBalancers/inboundNatRules@2023-04-01' = { + name: 'inboundNatRule2' + properties: { + frontendPort: 3389 + backendPort: 3389 + frontendIPConfiguration: { + id: loadBalancer.properties.frontendIPConfigurations[0].id + } + idleTimeoutInMinutes: 4 + protocol: 'Tcp' + } + parent: loadBalancer +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id + +@description('The resource ID of the created Load Balancer Backend Pool Name.') +output loadBalancerBackendPoolResourceId string = loadBalancer::backendPool.id diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..586661dbc4 --- /dev/null +++ b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,127 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnimax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + loadBalancerBackendAddressPools: [ + { + id: nestedDependencies.outputs.loadBalancerBackendPoolResourceId + } + ] + name: 'ipconfig01' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + applicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..501a5a13c0 --- /dev/null +++ b/modules/network/network-manager/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,96 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Hub Virtual Network to create.') +param virtualNetworkHubName string + +@description('Required. The name of the Spoke 1 Virtual Network to create.') +param virtualNetworkSpoke1Name string + +@description('Required. The name of the Spoke 2 Virtual Network to create.') +param virtualNetworkSpoke2Name string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +var addressPrefixHub = '10.0.0.0/16' +var addressPrefixSpoke1 = '172.16.0.0/12' +var addressPrefixSpoke2 = '192.168.0.0/16' +var subnetName = 'defaultSubnet' + +resource virtualNetworkHub 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkHubName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixHub + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixHub + } + } + ] + } +} + +resource virtualNetworkSpoke1 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkSpoke1Name + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixSpoke1 + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixSpoke1 + } + } + ] + } +} + +resource virtualNetworkSpoke2 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkSpoke2Name + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefixSpoke2 + ] + } + subnets: [ + { + name: subnetName + properties: { + addressPrefix: addressPrefixSpoke2 + } + } + ] + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Hub Virtual Network.') +output virtualNetworkHubId string = virtualNetworkHub.id + +@description('The resource ID of the created Spoke 1 Virtual Network.') +output virtualNetworkSpoke1Id string = virtualNetworkSpoke1.id + +@description('The resource ID of the created Spoke 2 Virtual Network.') +output virtualNetworkSpoke2Id string = virtualNetworkSpoke2.id diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a1cb6fb4f6 --- /dev/null +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,255 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnmmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkHubName: 'dep-${namePrefix}-vnetHub-${serviceShort}' + virtualNetworkSpoke1Name: 'dep-${namePrefix}-vnetSpoke1-${serviceShort}' + virtualNetworkSpoke2Name: 'dep-${namePrefix}-vnetSpoke2-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var networkManagerName = '${namePrefix}${serviceShort}001' +var networkManagerExpecetedResourceID = '${resourceGroup.id}/providers/Microsoft.Network/networkManagers/${networkManagerName}' + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: networkManagerName + enableDefaultTelemetry: enableDefaultTelemetry + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkManagerScopeAccesses: [ + 'Connectivity' + 'SecurityAdmin' + ] + networkManagerScopes: { + subscriptions: [ + subscription().id + ] + } + networkGroups: [ + { + name: 'network-group-spokes' + description: 'network-group-spokes description' + staticMembers: [ + { + name: 'virtualNetworkSpoke1' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke1Id + } + { + name: 'virtualNetworkSpoke2' + resourceId: nestedDependencies.outputs.virtualNetworkSpoke2Id + } + ] + } + ] + connectivityConfigurations: [ + { + name: 'hubSpokeConnectivity' + description: 'hubSpokeConnectivity description' + connectivityTopology: 'HubAndSpoke' + hubs: [ + { + resourceId: nestedDependencies.outputs.virtualNetworkHubId + resourceType: 'Microsoft.Network/virtualNetworks' + } + ] + deleteExistingPeering: 'True' + isGlobal: 'True' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + useHubGateway: 'False' + groupConnectivity: 'None' + isGlobal: 'False' + } + ] + } + { + name: 'MeshConnectivity' + description: 'MeshConnectivity description' + connectivityTopology: 'Mesh' + deleteExistingPeering: 'True' + isGlobal: 'True' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + useHubGateway: 'False' + groupConnectivity: 'None' + isGlobal: 'False' + } + ] + } + ] + scopeConnections: [ + { + name: 'scope-connection-test' + description: 'description of the scope connection' + resourceId: subscription().id + tenantid: tenant().tenantId + } + ] + securityAdminConfigurations: [ + { + name: 'test-security-admin-config' + description: 'description of the security admin config' + applyOnNetworkIntentPolicyBasedServices: [ + 'AllowRulesOnly' + ] + ruleCollections: [ + { + name: 'test-rule-collection-1' + description: 'test-rule-collection-description' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + } + ] + rules: [ + { + name: 'test-inbound-allow-rule-1' + description: 'test-inbound-allow-rule-1-description' + access: 'Allow' + direction: 'Inbound' + priority: 150 + protocol: 'Tcp' + } + { + name: 'test-outbound-deny-rule-2' + description: 'test-outbound-deny-rule-2-description' + access: 'Deny' + direction: 'Outbound' + priority: 200 + protocol: 'Tcp' + sourcePortRanges: [ + '80' + '442-445' + ] + sources: [ + { + addressPrefix: 'AppService.WestEurope' + addressPrefixType: 'ServiceTag' + } + ] + } + ] + } + { + name: 'test-rule-collection-2' + description: 'test-rule-collection-description' + appliesToGroups: [ + { + networkGroupId: '${networkManagerExpecetedResourceID}/networkGroups/network-group-spokes' + } + ] + rules: [ + { + name: 'test-inbound-allow-rule-3' + description: 'test-inbound-allow-rule-3-description' + access: 'Allow' + direction: 'Inbound' + destinationPortRanges: [ + '80' + '442-445' + ] + destinations: [ + { + addressPrefix: '192.168.20.20' + addressPrefixType: 'IPPrefix' + } + ] + priority: 250 + protocol: 'Tcp' + } + { + name: 'test-inbound-allow-rule-4' + description: 'test-inbound-allow-rule-4-description' + access: 'Allow' + direction: 'Inbound' + sources: [ + { + addressPrefix: '10.0.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '100.100.100.100' + addressPrefixType: 'IPPrefix' + } + ] + destinations: [ + { + addressPrefix: '172.16.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '172.16.1.0/24' + addressPrefixType: 'IPPrefix' + } + ] + priority: 260 + protocol: 'Tcp' + } + ] + } + ] + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..951c71af97 --- /dev/null +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ba20a64fbc --- /dev/null +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,160 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnsgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + securityRules: [ + { + name: 'Specific' + properties: { + access: 'Allow' + description: 'Tests specific IPs and ports' + destinationAddressPrefix: '*' + destinationPortRange: '8080' + direction: 'Inbound' + priority: 100 + protocol: '*' + sourceAddressPrefix: '*' + sourcePortRange: '*' + } + } + { + name: 'Ranges' + properties: { + access: 'Allow' + description: 'Tests Ranges' + destinationAddressPrefixes: [ + '10.2.0.0/16' + '10.3.0.0/16' + ] + destinationPortRanges: [ + '90' + '91' + ] + direction: 'Inbound' + priority: 101 + protocol: '*' + sourceAddressPrefixes: [ + '10.0.0.0/16' + '10.1.0.0/16' + ] + sourcePortRanges: [ + '80' + '81' + ] + } + } + { + name: 'Port_8082' + properties: { + access: 'Allow' + description: 'Allow inbound access on TCP 8082' + destinationApplicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + destinationPortRange: '8082' + direction: 'Inbound' + priority: 102 + protocol: '*' + sourceApplicationSecurityGroups: [ + { + id: nestedDependencies.outputs.applicationSecurityGroupResourceId + } + ] + sourcePortRange: '*' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c20f841f30 --- /dev/null +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,144 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the first Network Security Group to create.') +param firstNetworkSecurityGroupName string + +@description('Required. The name of the second Network Security Group to create.') +param secondNetworkSecurityGroupName string + +@description('Required. The name of the Virtual Machine to create.') +param virtualMachineName string + +@description('Optional. The password to leverage for the VM login.') +@secure() +param password string = newGuid() + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource firstNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: firstNetworkSecurityGroupName + location: location +} + +resource secondNetworkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: secondNetworkSecurityGroupName + location: location +} + +resource networkInterface 'Microsoft.Network/networkInterfaces@2023-04-01' = { + name: '${virtualMachineName}-nic' + location: location + properties: { + ipConfigurations: [ + { + name: 'ipconfig01' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource virtualMachine 'Microsoft.Compute/virtualMachines@2022-08-01' = { + name: virtualMachineName + location: location + properties: { + networkProfile: { + networkInterfaces: [ + { + id: networkInterface.id + properties: { + deleteOption: 'Delete' + primary: true + } + } + ] + } + storageProfile: { + imageReference: { + publisher: 'Canonical' + offer: '0001-com-ubuntu-server-jammy' + sku: '22_04-lts-gen2' + version: 'latest' + } + osDisk: { + deleteOption: 'Delete' + createOption: 'FromImage' + } + } + hardwareProfile: { + vmSize: 'Standard_B1ms' + } + osProfile: { + adminUsername: '${virtualMachineName}cake' + adminPassword: password + computerName: virtualMachineName + linuxConfiguration: { + disablePasswordAuthentication: false + } + } + } +} + +resource extension 'Microsoft.Compute/virtualMachines/extensions@2021-07-01' = { + name: 'NetworkWatcherAgent' + parent: virtualMachine + location: location + properties: { + publisher: 'Microsoft.Azure.NetworkWatcher' + type: 'NetworkWatcherAgentLinux' + typeHandlerVersion: '1.4' + autoUpgradeMinorVersion: true + enableAutomaticUpgrade: false + settings: {} + protectedSettings: {} + suppressFailures: false + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Virtual Machine.') +output virtualMachineResourceId string = virtualMachine.id + +@description('The resource ID of the first created Network Security Group.') +output firstNetworkSecurityGroupResourceId string = firstNetworkSecurityGroup.id + +@description('The resource ID of the second created Network Security Group.') +output secondNetworkSecurityGroupResourceId string = secondNetworkSecurityGroup.id diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d4dcd43292 --- /dev/null +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,158 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default NetworkWatcher resource group. Do not change. + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nnwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + firstNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-1-${serviceShort}' + secondNetworkSecurityGroupName: 'dep-${namePrefix}-nsg-2-${serviceShort}' + virtualMachineName: 'dep-${namePrefix}-vm-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // +#disable-next-line no-hardcoded-location // Disabled as the default RG & location are created in always one location, but each test has to deploy into a different one +var testLocation = 'westeurope' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, testLocation)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: 'NetworkWatcher_${testLocation}' + location: testLocation + connectionMonitors: [ + { + name: '${namePrefix}-${serviceShort}-cm-001' + endpoints: [ + { + name: '${namePrefix}-subnet-001(${resourceGroup.name})' + resourceId: nestedDependencies.outputs.virtualMachineResourceId + type: 'AzureVM' + } + { + address: 'www.bing.com' + name: 'Bing' + type: 'ExternalAddress' + } + ] + testConfigurations: [ + { + httpConfiguration: { + method: 'Get' + port: 80 + preferHTTPS: false + requestHeaders: [] + validStatusCodeRanges: [ + '200' + ] + } + name: 'HTTP Bing Test' + protocol: 'Http' + successThreshold: { + checksFailedPercent: 5 + roundTripTimeMs: 100 + } + testFrequencySec: 30 + } + ] + testGroups: [ + { + destinations: [ + 'Bing' + ] + disable: false + name: 'test-http-Bing' + sources: [ + '${namePrefix}-subnet-001(${resourceGroup.name})' + ] + testConfigurations: [ + 'HTTP Bing Test' + ] + } + ] + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + flowLogs: [ + { + enabled: false + storageId: diagnosticDependencies.outputs.storageAccountResourceId + targetResourceId: nestedDependencies.outputs.firstNetworkSecurityGroupResourceId + } + { + formatVersion: 1 + name: '${namePrefix}-${serviceShort}-fl-001' + retentionInDays: 8 + storageId: diagnosticDependencies.outputs.storageAccountResourceId + targetResourceId: nestedDependencies.outputs.secondNetworkSecurityGroupResourceId + trafficAnalyticsInterval: 10 + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..f4ff1fbf54 --- /dev/null +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,41 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d62a97edb9 --- /dev/null +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,224 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npdzmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001.com' + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + soaRecord: { + email: 'azureprivatedns-host.microsoft.com' + expireTime: 2419200 + host: 'azureprivatedns.net' + minimumTtl: 10 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + virtualNetworkLinks: [ + { + registrationEnabled: true + virtualNetworkResourceId: nestedDependencies.outputs.virtualNetworkResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a4bc9dabca --- /dev/null +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,95 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Application Security Group to create.') +param applicationSecurityGroupName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } +} + +resource applicationSecurityGroup 'Microsoft.Network/applicationSecurityGroups@2023-04-01' = { + name: applicationSecurityGroupName + location: location +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.vaultcore.azure.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Key Vault.') +output keyVaultResourceId string = keyVault.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Application Security Group.') +output applicationSecurityGroupResourceId string = applicationSecurityGroup.id diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..dcb523c227 --- /dev/null +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,105 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npemax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + applicationSecurityGroupName: 'dep-${namePrefix}-asg-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + groupIds: [ + 'vault' + ] + serviceResourceId: nestedDependencies.outputs.keyVaultResourceId + subnetResourceId: nestedDependencies.outputs.subnetResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] + customNetworkInterfaceName: '${namePrefix}${serviceShort}001nic' + applicationSecurityGroupResourceIds: [ + nestedDependencies.outputs.applicationSecurityGroupResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..1031dd4830 --- /dev/null +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Load Balancer to create.') +param loadBalancerName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +resource loadBalancer 'Microsoft.Network/loadBalancers@2023-04-01' = { + name: loadBalancerName + location: location + sku: { + name: 'Standard' + } + properties: { + frontendIPConfigurations: [ + { + name: 'frontendIPConfiguration' + properties: { + subnet: { + id: virtualNetwork.properties.subnets[0].id + } + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2023-01-31' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Load Balancer Frontend IP Configuration.') +output loadBalancerFrontendIpConfigurationResourceId string = loadBalancer.properties.frontendIPConfigurations[0].id diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8333f18672 --- /dev/null +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,106 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nplsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + loadBalancerName: 'dep-${namePrefix}-lb-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + ipConfigurations: [ + { + name: '${serviceShort}01' + properties: { + primary: true + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: nestedDependencies.outputs.subnetResourceId + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: nestedDependencies.outputs.loadBalancerFrontendIpConfigurationResourceId + } + ] + autoApproval: { + subscriptions: [ + '*' + ] + } + visibility: { + subscriptions: [ + subscription().subscriptionId + ] + } + enableProxyProtocol: true + fqdns: [ + '${serviceShort}.plsfqdn01.azure.privatelinkservice' + '${serviceShort}.plsfqdn02.azure.privatelinkservice' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..aed225af85 --- /dev/null +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npiamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + skuName: 'Standard' + zones: [ + '1' + '2' + '3' + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8e6d167811 --- /dev/null +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,73 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'npipmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + prefixLength: 28 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/route-table/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..591f42c921 --- /dev/null +++ b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,82 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nrtmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: '172.16.0.20' + nextHopType: 'VirtualAppliance' + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..383bd64097 --- /dev/null +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,85 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolicies-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nsnpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + serviceEndpointPolicyDefinitions: [ + { + name: 'Storage.ServiceEndpoint' + properties: { + service: 'Microsoft.Storage' + description: 'Allow Microsoft.Storage' + serviceResources: [ + subscription().id + ] + } + type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' + } + ] + } +} diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..e33f38cf77 --- /dev/null +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,101 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofiles-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ntmpmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // +var resourceName = '${namePrefix}${serviceShort}001' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: resourceName + relativeName: resourceName + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..9c4af5313d --- /dev/null +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,42 @@ +@description('Required. The name of the Virtual WAN to create.') +param virtualWANName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +@description('The resource ID of the created Virtual WAN.') +output virtualWWANResourceId string = virtualWan.id + +@description('The resource ID of the created Virtual Network.') +output virtualNetworkResourceId string = virtualNetwork.id diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..40bfcc913c --- /dev/null +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,94 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvhmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + addressPrefix: '10.1.0.0/16' + virtualWanId: nestedDependencies.outputs.virtualWWANResourceId + hubRouteTables: [ + { + name: 'routeTable1' + } + ] + hubVirtualNetworkConnections: [ + { + name: 'connection1' + remoteVirtualNetworkId: nestedDependencies.outputs.virtualNetworkResourceId + routingConfiguration: { + associatedRouteTable: { + id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' + } + propagatedRouteTables: { + ids: [ + { + id: '${resourceGroup.id}/providers/Microsoft.Network/virtualHubs/${namePrefix}-${serviceShort}/hubRouteTables/routeTable1' + } + ] + labels: [ + 'none' + ] + } + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..065c08da1e --- /dev/null +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,35 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Route Table to create.') +param routeTableName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { + name: routeTableName + location: location +} + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location +} + +@description('The resource ID of the created Route Table.') +output routeTableResourceId string = routeTable.id + +@description('The resource ID of the created Network Security Group.') +output networkSecurityGroupResourceId string = networkSecurityGroup.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5a84c91f10 --- /dev/null +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,156 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvnmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +var addressPrefix = '10.0.0.0/16' +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + addressPrefixes: [ + addressPrefix + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + dnsServers: [ + '10.0.1.4' + '10.0.1.5' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + flowTimeoutInMinutes: 20 + subnets: [ + { + addressPrefix: cidrSubnet(addressPrefix, 24, 0) + name: 'GatewaySubnet' + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 1) + name: '${namePrefix}-az-subnet-x-001' + networkSecurityGroupId: nestedDependencies.outputs.networkSecurityGroupResourceId + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + routeTableId: nestedDependencies.outputs.routeTableResourceId + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + { + service: 'Microsoft.Sql' + } + ] + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 2) + delegations: [ + { + name: 'netappDel' + properties: { + serviceName: 'Microsoft.Netapp/volumes' + } + } + ] + name: '${namePrefix}-az-subnet-x-002' + } + { + addressPrefix: cidrSubnet(addressPrefix, 24, 3) + name: '${namePrefix}-az-subnet-x-003' + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d0dd150785 --- /dev/null +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + allowBranchToBranchTraffic: true + allowVnetToVnetTraffic: true + disableVpnEncryption: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + type: 'Basic' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a15b268388 --- /dev/null +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,49 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Optional. The name of the Virtual Hub to create.') +param virtualHubName string + +@description('Optional. The name of the VPN Site to create.') +param vpnSiteName string + +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +resource virtualHub 'Microsoft.Network/virtualHubs@2022-01-01' = { + name: virtualHubName + location: location + properties: { + virtualWan: { + id: virtualWan.id + } + addressPrefix: '10.0.0.0/24' + } +} + +resource vpnSite 'Microsoft.Network/vpnSites@2023-04-01' = { + name: vpnSiteName + location: location + properties: { + virtualWan: { + id: virtualWan.id + } + addressSpace: { + addressPrefixes: [ + '10.1.0.0/16' + ] + } + ipAddress: '10.1.0.0' + } +} + +@description('The resource ID of the created Virtual Hub.') +output virtualHubResourceId string = virtualHub.id + +@description('The resource ID of the created VPN site.') +output vpnSiteResourceId string = vpnSite.id diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..798de44466 --- /dev/null +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,102 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualHubName: 'dep-${namePrefix}-vh-${serviceShort}' + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + vpnSiteName: 'dep-${namePrefix}-vs-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + virtualHubResourceId: nestedDependencies.outputs.virtualHubResourceId + bgpSettings: { + asn: 65515 + peerWeight: 0 + } + vpnConnections: [ + { + connectionBandwidth: 100 + enableBgp: false + name: 'Connection-${last(split(nestedDependencies.outputs.vpnSiteResourceId, '/'))}' + remoteVpnSiteResourceId: nestedDependencies.outputs.vpnSiteResourceId + enableInternetSecurity: true + vpnConnectionProtocolType: 'IKEv2' + enableRateLimiting: false + useLocalAzureIpAddress: false + usePolicyBasedTrafficSelectors: false + routingWeight: 0 + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + natRules: [ + { + externalMappings: [ + { + addressSpace: '192.168.21.0/24' + } + ] + internalMappings: [ + { + addressSpace: '10.4.0.0/24' + } + ] + mode: 'EgressSnat' + name: 'natRule1' + type: 'Static' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8e2694c27f --- /dev/null +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,24 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Required. The name of the virtual WAN to create.') +param virtualWANName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualWan 'Microsoft.Network/virtualWans@2023-04-01' = { + name: virtualWANName + location: location +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Virtual WAN.') +output virtualWWANResourceId string = virtualWan.id diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8f0bab6726 --- /dev/null +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,114 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'nvsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualWANName: 'dep-${namePrefix}-vw-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + virtualWanId: nestedDependencies.outputs.virtualWWANResourceId + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'valueA' + tagB: 'valueB' + } + deviceProperties: { + linkSpeedInMbps: 0 + } + vpnSiteLinks: [ + { + name: '${namePrefix}-vSite-${serviceShort}' + properties: { + bgpProperties: { + asn: 65010 + bgpPeeringAddress: '1.1.1.1' + } + ipAddress: '1.2.3.4' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + { + name: 'Link1' + properties: { + bgpProperties: { + asn: 65020 + bgpPeeringAddress: '192.168.1.0' + } + ipAddress: '2.2.2.2' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + ] + o365Policy: { + breakOutCategories: { + optimize: true + allow: true + default: true + } + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8f83c0d9a1 --- /dev/null +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,47 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +@description('Required. The name of the Automation Account to create.') +param automationAccountName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' +} + +resource automationAccount 'Microsoft.Automation/automationAccounts@2022-08-08' = { + name: automationAccountName + location: location + properties: { + sku: { + name: 'Basic' + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The resource ID of the created Automation Account.') +output automationAccountResourceId string = automationAccount.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..a3d86cf782 --- /dev/null +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,237 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'oiwmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + storageAccountName: 'dep${namePrefix}sa${serviceShort}' + automationAccountName: 'dep-${namePrefix}-auto-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + dailyQuotaGb: 10 + dataSources: [ + { + eventLogName: 'Application' + eventTypes: [ + { + eventType: 'Error' + } + { + eventType: 'Warning' + } + { + eventType: 'Information' + } + ] + kind: 'WindowsEvent' + name: 'applicationEvent' + } + { + counterName: '% Processor Time' + instanceName: '*' + intervalSeconds: 60 + kind: 'WindowsPerformanceCounter' + name: 'windowsPerfCounter1' + objectName: 'Processor' + } + { + kind: 'IISLogs' + name: 'sampleIISLog1' + state: 'OnPremiseEnabled' + } + { + kind: 'LinuxSyslog' + name: 'sampleSyslog1' + syslogName: 'kern' + syslogSeverities: [ + { + severity: 'emerg' + } + { + severity: 'alert' + } + { + severity: 'crit' + } + { + severity: 'err' + } + { + severity: 'warning' + } + ] + } + { + kind: 'LinuxSyslogCollection' + name: 'sampleSyslogCollection1' + state: 'Enabled' + } + { + instanceName: '*' + intervalSeconds: 10 + kind: 'LinuxPerformanceObject' + name: 'sampleLinuxPerf1' + objectName: 'Logical Disk' + syslogSeverities: [ + { + counterName: '% Used Inodes' + } + { + counterName: 'Free Megabytes' + } + { + counterName: '% Used Space' + } + { + counterName: 'Disk Transfers/sec' + } + { + counterName: 'Disk Reads/sec' + } + { + counterName: 'Disk Writes/sec' + } + ] + } + { + kind: 'LinuxPerformanceCollection' + name: 'sampleLinuxPerfCollection1' + state: 'Enabled' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + gallerySolutions: [ + { + name: 'AzureAutomation' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + linkedServices: [ + { + name: 'Automation' + resourceId: nestedDependencies.outputs.automationAccountResourceId + } + ] + linkedStorageAccounts: [ + { + name: 'Query' + resourceId: nestedDependencies.outputs.storageAccountResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccessForIngestion: 'Disabled' + publicNetworkAccessForQuery: 'Disabled' + savedSearches: [ + { + category: 'VDC Saved Searches' + displayName: 'VMSS Instance Count2' + name: 'VMSSQueries' + query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' + } + ] + storageInsightsConfigs: [ + { + storageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + tables: [ + 'LinuxsyslogVer2v0' + 'WADETWEventTable' + 'WADServiceFabric*EventTable' + 'WADWindowsEventLogsTable' + ] + } + ] + useResourcePermissions: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } +} diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..fac442cdfe --- /dev/null +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,76 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pbdcapmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + skuCapacity: 1 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + members: [ + nestedDependencies.outputs.managedIdentityPrincipalId + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep b/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..1edeb81930 --- /dev/null +++ b/modules/purview/account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,73 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +var privateDNSZoneNames = [ + 'privatelink.purview.azure.com' + 'privatelink.purviewstudio.azure.com' + 'privatelink.blob.${environment().suffixes.storage}' + 'privatelink.queue.${environment().suffixes.storage}' + 'privatelink.servicebus.windows.net' +] + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@batchSize(1) +resource privateDNSZones 'Microsoft.Network/privateDnsZones@2020-06-01' = [for privateDNSZone in privateDNSZoneNames: { + name: privateDNSZone + location: 'global' +}] + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone for Purview Account.') +output purviewAccountPrivateDNSResourceId string = privateDNSZones[0].id + +@description('The resource ID of the created Private DNS Zone for Purview Portal.') +output purviewPortalPrivateDNSResourceId string = privateDNSZones[1].id + +@description('The resource ID of the created Private DNS Zone for Storage Account Blob.') +output storageBlobPrivateDNSResourceId string = privateDNSZones[2].id + +@description('The resource ID of the created Private DNS Zone for Storage Account Queue.') +output storageQueuePrivateDNSResourceId string = privateDNSZones[3].id + +@description('The resource ID of the created Private DNS Zone for Event Hub Namespace.') +output eventHubPrivateDNSResourceId string = privateDNSZones[4].id diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..aa24c189e1 --- /dev/null +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,179 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'pvamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + location: location + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + managedIdentities: { + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + managedResourceGroupName: '${namePrefix}${serviceShort}001-managed-rg' + publicNetworkAccess: 'Disabled' + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + accountPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewAccountPrivateDNSResourceId + ] + service: 'account' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + portalPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.purviewPortalPrivateDNSResourceId + ] + service: 'portal' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageBlobPrivateDNSResourceId + ] + service: 'blob' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.storageQueuePrivateDNSResourceId + ] + service: 'queue' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + eventHubPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.eventHubPrivateDNSResourceId + ] + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + enableDefaultTelemetry: enableDefaultTelemetry + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + } +} diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..12b8653f54 --- /dev/null +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.siterecovery.windowsazure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5184d05b9b --- /dev/null +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,378 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rsvmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + backupConfig: { + enhancedSecurityState: 'Disabled' + softDeleteFeatureState: 'Disabled' + } + backupPolicies: [ + { + name: 'VMpolicy' + properties: { + backupManagementType: 'AzureIaasVM' + instantRPDetails: {} + instantRpRetentionRangeInDays: 2 + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 180 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 12 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T07:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + } + } + { + name: 'sqlpolicy' + properties: { + backupManagementType: 'AzureWorkload' + protectedItemsCount: 0 + settings: { + isCompression: true + issqlcompression: true + timeZone: 'UTC' + } + subProtectionPolicy: [ + { + policyType: 'Full' + retentionPolicy: { + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 104 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Sunday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2019-11-07T22:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Differential' + retentionPolicy: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Monday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2017-03-07T02:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Log' + retentionPolicy: { + retentionDuration: { + count: 15 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + scheduleFrequencyInMins: 120 + schedulePolicyType: 'LogSchedulePolicy' + } + } + ] + workLoadType: 'SQLDataBase' + } + } + { + name: 'filesharepolicy' + properties: { + backupManagementType: 'AzureStorage' + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T04:30:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T04:30:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + workloadType: 'AzureFileShare' + } + } + ] + backupStorageConfig: { + crossRegionRestoreFlag: true + storageModelType: 'GeoRedundant' + } + replicationAlertSettings: { + customEmailAddresses: [ + 'test.user@testcompany.com' + ] + locale: 'en-US' + sendToOwners: 'Send' + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + monitoringSettings: { + azureMonitorAlertSettings: { + alertsForAllJobFailures: 'Enabled' + } + classicAlertSettings: { + alertsForCriticalOperations: 'Enabled' + } + } + securitySettings: { + immutabilitySettings: { + state: 'Unlocked' + } + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..cf1b2ab392 --- /dev/null +++ b/modules/relay/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,60 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..d438ec09ec --- /dev/null +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rnmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'Standard' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + ignoreMissingVnetServiceEndpoint: true + id: nestedDependencies.outputs.subnetResourceId + } + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + hybridConnections: [ + { + name: '${namePrefix}${serviceShort}hc001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + userMetadata: '[{"key":"endpoint","value":"db-server.constoso.com:1433"}]' + } + ] + wcfRelays: [ + { + name: '${namePrefix}${serviceShort}wcf001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + relayType: 'NetTcp' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + } +} diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..8ff4e69568 --- /dev/null +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,74 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rgqmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + query: 'resources | take 10' + queryDescription: 'An example query to list first 10 resources in the subscription.' + } +} diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8d9be85388 --- /dev/null +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,17 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..91f263f885 --- /dev/null +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,71 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'rrgmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep b/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..8413dfd20e --- /dev/null +++ b/modules/search/search-service/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Required. The name of the managed identity to create.') +param managedIdentityName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..90a01b9be8 --- /dev/null +++ b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,129 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sssmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}03' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}01' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}01' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + sku: 'standard3' + cmkEnforcement: 'Enabled' + disableLocalAuth: false + authOptions: { + aadOrApiKey: { + aadAuthFailureMode: 'http401WithBearerChallenge' + } + } + hostingMode: 'highDensity' + partitionCount: 2 + replicaCount: 3 + managedIdentities: { + systemAssigned: true + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + roleDefinitionIdOrName: 'Search Service Contributor' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + networkRuleSet: { + ipRules: [ + { + value: '40.74.28.0/23' + } + { + value: '87.147.204.13' + } + ] + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..cc24476629 --- /dev/null +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Log Analytics Workspace to create.') +param logAnalyticsWorkspaceName string + +resource logAnalyticsWorkspace 'Microsoft.OperationalInsights/workspaces@2021-06-01' = { + name: logAnalyticsWorkspaceName + location: location +} + +@description('The resource ID of the created Log Analytics Workspace.') +output logAnalyticsWorkspaceResourceId string = logAnalyticsWorkspace.id diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..1118563116 --- /dev/null +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,62 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sascmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + scope: '/subscriptions/${subscription().subscriptionId}' + workspaceId: nestedDependencies.outputs.logAnalyticsWorkspaceResourceId + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + } +} diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..07a2e7878c --- /dev/null +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,63 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.servicebus.windows.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..617b5a4832 --- /dev/null +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,226 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sbnmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + skuName: 'Premium' + skuCapacity: 2 + premiumMessagingPartitions: 1 + zoneRedundant: true + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + + principalType: 'ServicePrincipal' + } + ] + networkRuleSets: { + defaultAction: 'Deny' + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: nestedDependencies.outputs.subnetResourceId + } + ] + ipRules: [ + { + ipMask: '10.0.1.0/32' + action: 'Allow' + } + { + ipMask: '10.0.2.0/32' + action: 'Allow' + } + ] + } + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + queues: [ + { + name: '${namePrefix}${serviceShort}q001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 + } + ] + topics: [ + { + name: '${namePrefix}${serviceShort}t001' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + privateEndpoints: [ + { + service: 'namespace' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + disableLocalAuth: true + publicNetworkAccess: 'Enabled' + minimumTlsVersion: '1.2' + } +} diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3cf8c25ddd --- /dev/null +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,31 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the storage account to create.') +param storageAccountName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2021-08-01' = { + name: storageAccountName + location: location + kind: 'StorageV2' + sku: { + name: 'Standard_LRS' + } + properties: { + allowBlobPublicAccess: false + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Storage Account.') +output storageAccountName string = storageAccount.name diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..c566919098 --- /dev/null +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,225 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sfcmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Service Fabric' + clusterName: '${namePrefix}${serviceShort}001' + } + addOnFeatures: [ + 'RepairManager' + 'DnsService' + 'BackupRestoreService' + 'ResourceMonitorService' + ] + maxUnusedVersionsToKeep: 2 + azureActiveDirectory: { + clientApplication: nestedDependencies.outputs.managedIdentityPrincipalId + clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' + tenantId: tenant().tenantId + } + certificateCommonNames: { + commonNames: [ + { + certificateCommonName: 'certcommon' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + } + ] + x509StoreName: '' + } + clientCertificateCommonNames: [ + { + certificateCommonName: 'clientcommoncert1' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateCommonName: 'clientcommoncert2' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + clientCertificateThumbprints: [ + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + diagnosticsStorageAccountConfig: { + blobEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.blob.${environment().suffixes.storage}/' + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.queue.${environment().suffixes.storage}/' + storageAccountName: nestedDependencies.outputs.storageAccountName + tableEndpoint: 'https://${nestedDependencies.outputs.storageAccountName}.table.${environment().suffixes.storage}/' + } + fabricSettings: [ + { + name: 'Security' + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + } + { + name: 'UpgradeService' + parameters: [ + { + name: 'AppPollIntervalInSeconds' + value: '60' + } + ] + } + ] + managementEndpoint: 'https://${namePrefix}${serviceShort}001.westeurope.cloudapp.azure.com:19080' + reliabilityLevel: 'Silver' + nodeTypes: [ + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Silver' + ephemeralPorts: { + endPort: 65534 + startPort: 49152 + } + httpGatewayEndpointPort: 19080 + isPrimary: true + name: 'Node01' + + isStateless: false + multipleAvailabilityZones: false + + placementProperties: {} + reverseProxyEndpointPort: '' + vmInstanceCount: 5 + } + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Bronze' + ephemeralPorts: { + endPort: 64000 + startPort: 49000 + httpGatewayEndpointPort: 19007 + isPrimary: true + name: 'Node02' + vmInstanceCount: 5 + } + } + ] + notifications: [ + { + isEnabled: true + notificationCategory: 'WaveProgress' + notificationLevel: 'Critical' + notificationTargets: [ + { + notificationChannel: 'EmailUser' + receivers: [ + 'SomeReceiver' + ] + } + ] + } + ] + upgradeDescription: { + forceRestart: false + upgradeReplicaSetCheckTimeout: '1.00:00:00' + healthCheckWaitDuration: '00:00:30' + healthCheckStableDuration: '00:01:00' + healthCheckRetryTimeout: '00:45:00' + upgradeTimeout: '02:00:00' + upgradeDomainTimeout: '02:00:00' + healthPolicy: { + maxPercentUnhealthyNodes: 0 + maxPercentUnhealthyApplications: 0 + } + deltaHealthPolicy: { + maxPercentDeltaUnhealthyNodes: 0 + maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 + maxPercentDeltaUnhealthyApplications: 0 + } + + } + vmImage: 'Linux' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + applicationTypes: [ + { + name: 'WordCount' // not idempotent + } + ] + } +} diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..3f02e7b5ad --- /dev/null +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,62 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.service.signalr.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..751e1286fd --- /dev/null +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,117 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'srssrmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// =========== // +// Deployments // +// =========== // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-paramNested' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + kind: 'SignalR' + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-${namePrefix}-${serviceShort}-001' + + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard_S1' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..53f60ba74f --- /dev/null +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,62 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.webpubsub.azure.com' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..007c6f0032 --- /dev/null +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'srswpsmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}-001' + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + location: location + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-${namePrefix}-${serviceShort}-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'webpubsub' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: 'Reader' + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard_S1' + managedIdentities: { + systemAssigned: true + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..c4e9dfd575 --- /dev/null +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,350 @@ +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Route Table to create.') +param routeTableName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +var addressPrefix = '10.0.0.0/16' +var addressPrefixString = replace(replace(addressPrefix, '.', '-'), '/', '-') + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: { + securityRules: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-sqlmgmt-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI provisioning Control Plane Deployment and Authentication Service' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'SqlManagement' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 100 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1438' + '1440' + '1452' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corpsaw-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetSaw' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 101 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + '1440' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-corppublic-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI Supportability through Corpnet ranges' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: 'CorpNetPublic' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 102 + direction: 'Inbound' + destinationPortRanges: [ + '9000' + '9003' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-healthprobe-in-${addressPrefixString}-v10' + properties: { + description: 'Allow Azure Load Balancer inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: 'AzureLoadBalancer' + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 103 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-in-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal inbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 104 + direction: 'Inbound' + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-services-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI services outbound traffic over https' + protocol: 'Tcp' + sourcePortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: 'AzureCloud' + access: 'Allow' + priority: 100 + direction: 'Outbound' + destinationPortRanges: [ + '443' + '12000' + ] + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-internal-out-${addressPrefixString}-v10' + properties: { + description: 'Allow MI internal outbound traffic' + protocol: '*' + sourcePortRange: '*' + destinationPortRange: '*' + sourceAddressPrefix: addressPrefix + destinationAddressPrefix: addressPrefix + access: 'Allow' + priority: 101 + direction: 'Outbound' + } + } + ] + } +} + +resource routeTable 'Microsoft.Network/routeTables@2023-04-01' = { + name: routeTableName + location: location + properties: { + disableBgpRoutePropagation: false + routes: [ + { + name: 'Microsoft.Sql-managedInstances_UseOnly_subnet-${addressPrefixString}-to-vnetlocal' + properties: { + addressPrefix: addressPrefix + nextHopType: 'VnetLocal' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage' + properties: { + addressPrefix: 'Storage' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-SqlManagement' + properties: { + addressPrefix: 'SqlManagement' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureMonitor' + properties: { + addressPrefix: 'AzureMonitor' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetSaw' + properties: { + addressPrefix: 'CorpNetSaw' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-CorpNetPublic' + properties: { + addressPrefix: 'CorpNetPublic' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureActiveDirectory' + properties: { + addressPrefix: 'AzureActiveDirectory' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.westeurope' + properties: { + addressPrefix: 'AzureCloud.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-AzureCloud.northeurope' + properties: { + addressPrefix: 'AzureCloud.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.westeurope' + properties: { + addressPrefix: 'Storage.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-Storage.northeurope' + properties: { + addressPrefix: 'Storage.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.westeurope' + properties: { + addressPrefix: 'EventHub.westeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + { + name: 'Microsoft.Sql-managedInstances_UseOnly_mi-EventHub.northeurope' + properties: { + addressPrefix: 'EventHub.northeurope' + nextHopType: 'Internet' + hasBgpOverride: false + } + } + ] + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'ManagedInstance' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + routeTable: { + id: routeTable.id + } + networkSecurityGroup: { + id: networkSecurityGroup.id + } + delegations: [ + { + name: 'managedInstanceDelegation' + properties: { + serviceName: 'Microsoft.Sql/managedInstances' + } + } + ] + } + } + ] + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: true + softDeleteRetentionInDays: 7 + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Reader-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The URL of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault.') +output keyVaultName string = keyVault.name diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..401b4c47a9 --- /dev/null +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,181 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlmimax' + +@description('Generated. Used as a basis for unique resource names.') +param baseTime string = utcNow('u') + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + // Adding base time to make the name unique as purge protection must be enabled (but may not be longer than 24 characters total) + keyVaultName: 'dep${namePrefix}kv${serviceShort}${substring(uniqueString(baseTime), 0, 3)}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + routeTableName: 'dep-${namePrefix}-rt-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + administratorLogin: 'adminUserName' + administratorLoginPassword: password + subnetId: nestedDependencies.outputs.subnetResourceId + collation: 'SQL_Latin1_General_CP1_CI_AS' + databases: [ + { + backupLongTermRetentionPolicies: { + name: 'default' + } + backupShortTermRetentionPolicies: { + name: 'default' + } + name: '${namePrefix}-${serviceShort}-db-001' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + dnsZonePartner: '' + encryptionProtectorObj: { + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + } + hardwareFamily: 'Gen5' + keys: [ + { + name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + } + ] + licenseType: 'LicenseIncluded' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId + proxyOverride: 'Proxy' + publicDataEndpointEnabled: false + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + servicePrincipal: 'SystemAssigned' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + storageSizeInGB: 32 + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + timezoneId: 'UTC' + vCores: 4 + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + } +} diff --git a/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep b/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..5f68856202 --- /dev/null +++ b/modules/sql/server/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,111 @@ +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Key Vault to create.') +param keyVaultName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: map(range(0, 2), i => { + name: 'subnet-${i}' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 24, i) + } + }) + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink${environment().suffixes.sqlServerHostname}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' = { + name: keyVaultName + location: location + properties: { + sku: { + family: 'A' + name: 'standard' + } + tenantId: tenant().tenantId + enablePurgeProtection: null + enabledForTemplateDeployment: true + enabledForDiskEncryption: true + enabledForDeployment: true + enableRbacAuthorization: true + accessPolicies: [] + } + + resource key 'keys@2022-07-01' = { + name: 'keyEncryptionKey' + properties: { + kty: 'RSA' + } + } +} + +resource keyPermissions 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid('msi-${keyVault::key.id}-${location}-${managedIdentity.id}-Key-Vault-Crypto-Service-Encryption-User-RoleAssignment') + scope: keyVault::key + properties: { + principalId: managedIdentity.properties.principalId + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'e147488a-f6f5-4113-8e2d-b22465e65bf6') // Key Vault Crypto Service Encryption User + principalType: 'ServicePrincipal' + } +} + +@description('The principal ID of the created managed identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created managed identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created virtual network subnet for a Private Endpoint.') +output privateEndpointSubnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created virtual network subnet for a Service Endpoint.') +output serviceEndpointSubnetResourceId string = virtualNetwork.properties.subnets[1].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The URL of the created Key Vault Encryption Key.') +output keyVaultEncryptionKeyUrl string = keyVault::key.properties.keyUriWithVersion + +@description('The name of the created Key Vault Encryption Key.') +output keyVaultKeyName string = keyVault::key.name + +@description('The name of the created Key Vault.') +output keyVaultName string = keyVault.name diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..bea350e17c --- /dev/null +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,197 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'sqlsmax' + +@description('Optional. The password to leverage for the login.') +@secure() +param password string = newGuid() + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + keyVaultName: 'dep-${namePrefix}-kv-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + location: location + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}azsa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}-${serviceShort}' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + primaryUserAssignedIdentityId: nestedDependencies.outputs.managedIdentityResourceId + administratorLogin: 'adminUserName' + administratorLoginPassword: password + location: location + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + vulnerabilityAssessmentsObj: { + name: 'default' + emailSubscriptionAdmins: true + recurringScansIsEnabled: true + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + } + elasticPools: [ + { + name: '${namePrefix}-${serviceShort}-ep-001' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + skuCapacity: 10 + // Pre-existing 'public' configuration + maintenanceConfigurationId: '${subscription().id}/providers/Microsoft.Maintenance/publicMaintenanceConfigurations/SQL_${location}_DB_1' + } + ] + databases: [ + { + name: '${namePrefix}-${serviceShort}db-001' + collation: 'SQL_Latin1_General_CP1_CI_AS' + skuTier: 'GeneralPurpose' + skuName: 'ElasticPool' + capacity: 0 + maxSizeBytes: 34359738368 + licenseType: 'LicenseIncluded' + diagnosticSettings: [ + { + name: 'customSetting' + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + elasticPoolId: '${resourceGroup.id}/providers/Microsoft.Sql/servers/${namePrefix}-${serviceShort}/elasticPools/${namePrefix}-${serviceShort}-ep-001' + encryptionProtectorObj: { + serverKeyType: 'AzureKeyVault' + serverKeyName: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + } + ] + firewallRules: [ + { + name: 'AllowAllWindowsAzureIps' + endIpAddress: '0.0.0.0' + startIpAddress: '0.0.0.0' + } + ] + securityAlertPolicies: [ + { + name: 'Default' + state: 'Enabled' + emailAccountAdmins: true + } + ] + keys: [ + { + name: '${nestedDependencies.outputs.keyVaultName}_${nestedDependencies.outputs.keyVaultKeyName}_${last(split(nestedDependencies.outputs.keyVaultEncryptionKeyUrl, '/'))}' + serverKeyType: 'AzureKeyVault' + uri: nestedDependencies.outputs.keyVaultEncryptionKeyUrl + } + ] + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.privateEndpointSubnetResourceId + service: 'sqlServer' + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: nestedDependencies.outputs.serviceEndpointSubnetResourceId + } + ] + restrictOutboundNetworkAccess: 'Disabled' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..b7cff8b3d2 --- /dev/null +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,68 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + ] + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.blob.${environment().suffixes.storage}' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..60b068d260 --- /dev/null +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,333 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'ssamax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + skuName: 'Standard_LRS' + allowBlobPublicAccess: false + requireInfrastructureEncryption: true + largeFileSharesState: 'Enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + enableHierarchicalNamespace: true + enableSftp: true + enableNfsV3: true + privateEndpoints: [ + { + service: 'blob' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + virtualNetworkRules: [ + { + action: 'Allow' + id: nestedDependencies.outputs.subnetResourceId + } + ] + ipRules: [ + { + action: 'Allow' + value: '1.1.1.1' + } + ] + } + localUsers: [ + { + storageAccountName: '${namePrefix}${serviceShort}001' + name: 'testuser' + hasSharedKey: false + hasSshKey: true + hasSshPassword: false + homeDirectory: 'avdscripts' + permissionScopes: [ + { + permissions: 'r' + service: 'blob' + resourceName: 'avdscripts' + } + ] + } + ] + blobServices: { + lastAccessTimeTrackingPolicyEnabled: true + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + containers: [ + { + name: 'avdscripts' + enableNfsV3AllSquash: true + enableNfsV3RootSquash: true + publicAccess: 'None' + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'archivecontainer' + publicAccess: 'None' + metadata: { + testKey: 'testValue' + } + enableWORM: true + WORMRetention: 666 + allowProtectedAppendWrites: false + } + ] + automaticSnapshotPolicyEnabled: true + containerDeleteRetentionPolicyEnabled: true + containerDeleteRetentionPolicyDays: 10 + deleteRetentionPolicyEnabled: true + deleteRetentionPolicyDays: 9 + } + fileServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + shares: [ + { + name: 'avdprofiles' + accessTier: 'Hot' + shareQuota: 5120 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'avdprofiles2' + shareQuota: 102400 + } + ] + } + tableServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + tables: [ + 'table1' + 'table2' + ] + } + queueServices: { + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + queues: [ + { + name: 'queue1' + metadata: { + key1: 'value1' + key2: 'value2' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + } + { + name: 'queue2' + metadata: {} + } + ] + } + sasExpirationPeriod: '180.00:00:00' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + managementPolicyRules: [ + { + enabled: true + name: 'FirstRule' + type: 'Lifecycle' + definition: { + actions: { + baseBlob: { + delete: { + daysAfterModificationGreaterThan: 30 + } + tierToCool: { + daysAfterLastAccessTimeGreaterThan: 5 + } + } + } + filters: { + blobIndexMatch: [ + { + name: 'BlobIndex' + op: '==' + value: '1' + } + ] + blobTypes: [ + 'blockBlob' + ] + prefixMatch: [ + 'sample-container/log' + ] + } + } + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..d7ca02fccb --- /dev/null +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,74 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Network Security Group to create.') +param networkSecurityGroupName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +var addressPrefix = '10.0.0.0/16' + +resource networkSecurityGroup 'Microsoft.Network/networkSecurityGroups@2023-04-01' = { + name: networkSecurityGroupName + location: location + properties: {} +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + networkSecurityGroup: { + id: networkSecurityGroup.id + } + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azuresynapse.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..5f1dc18c70 --- /dev/null +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,93 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'splhmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + networkSecurityGroupName: 'dep-${namePrefix}-nsg-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + service: 'Web' + subnetResourceId: nestedDependencies.outputs.subnetResourceId + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + { + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..52da267176 --- /dev/null +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,92 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Storage Account to create.') +param storageAccountName string + +var addressPrefix = '10.0.0.0/16' + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.sql.azuresynapse.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetworkName}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource storageAccount 'Microsoft.Storage/storageAccounts@2022-09-01' = { + name: storageAccountName + location: location + sku: { + name: 'Standard_LRS' + } + kind: 'StorageV2' + properties: { + isHnsEnabled: true + } + + resource blobService 'blobServices@2022-09-01' = { + name: 'default' + + resource container 'containers@2022-09-01' = { + name: 'synapsews' + } + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The resource ID of the created Private DNS Zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Storage Account.') +output storageAccountResourceId string = storageAccount.id + +@description('The name of the created container.') +output storageContainerName string = storageAccount::blobService::container.name diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..70526bbe29 --- /dev/null +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,124 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'swmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2022-09-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + storageAccountName: 'dep${namePrefix}sa${serviceShort}01' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + location: location + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + name: '${namePrefix}${serviceShort}001' + defaultDataLakeStorageAccountResourceId: nestedDependencies.outputs.storageAccountResourceId + defaultDataLakeStorageFilesystem: nestedDependencies.outputs.storageContainerName + sqlAdministratorLogin: 'synwsadmin' + initialWorkspaceAdminObjectID: nestedDependencies.outputs.managedIdentityPrincipalId + userAssignedIdentities: { + '${nestedDependencies.outputs.managedIdentityResourceId}': {} + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + service: 'SQL' + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + managedVirtualNetwork: true + integrationRuntimes: [ + { + type: 'SelfHosted' + name: 'shir01' + } + ] + diagnosticSettings: [ + { + name: 'customSetting' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + enableDefaultTelemetry: enableDefaultTelemetry + } +} diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..ec4e08c2d4 --- /dev/null +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,99 @@ +@description('Optional. The location to deploy resources to.') +param location string = resourceGroup().location + +@description('Required. The name of the Shared Image Gallery to create.') +param galleryName string + +@description('Required. The name of the Image Definition to create in the Shared Image Gallery.') +param sigImageDefinitionName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Optional. The name of the Virtual Network to create.') +param virtualNetworkName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +var addressPrefix = '10.0.0.0/16' + +resource gallery 'Microsoft.Compute/galleries@2022-03-03' = { + name: galleryName + location: location + properties: {} +} + +resource galleryImageDefinition 'Microsoft.Compute/galleries/images@2022-03-03' = { + name: sigImageDefinitionName + location: location + parent: gallery + properties: { + architecture: 'x64' + hyperVGeneration: 'V2' + identifier: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'Win11-AVD-g2' + } + osState: 'Generalized' + osType: 'Windows' + recommended: { + memory: { + max: 16 + min: 4 + } + vCPUs: { + max: 8 + min: 2 + } + } + } +} + +resource msi_contibutorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(resourceGroup().id, 'Contributor', '[[namePrefix]]') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'b24988ac-6180-42a0-ab88-20f7382dd24c') // Contributor + principalId: managedIdentity.properties.principalId + principalType: 'ServicePrincipal' + } +} + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + privateLinkServiceNetworkPolicies: 'Disabled' + } + } + ] + } +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The name of the created Managed Identity.') +output managedIdentityName string = managedIdentity.name + +@description('The resource ID of the created Image Definition.') +output sigImageDefinitionId string = galleryImageDefinition.id + +@description('The subnet resource id of the defaultSubnet of the created Virtual Network.') +output subnetId string = '${virtualNetwork.id}/subnets/defaultSubnet' diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..254fadcce6 --- /dev/null +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,119 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagetemplates-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'vmiitmax' + +@description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') +param sigImageVersion string = utcNow('yyyy.MM.dd') + +@description('Optional. The staging resource group name in the same location and subscription as the image template. Must not exist.') +param stagingResourceGroupName string = 'ms.virtualmachineimages.imagetemplates-${serviceShort}-staging-rg' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + sigImageDefinitionName: 'dep-${namePrefix}-imgd-${serviceShort}' + galleryName: 'dep${namePrefix}sig${serviceShort}' + virtualNetworkName: 'dep${namePrefix}-vnet-${serviceShort}' + } +} + +// required for the Azure Image Builder service to assign the list of User Assigned Identities to the Build VM. +resource msi_managedIdentityOperatorRoleAssignment 'Microsoft.Authorization/roleAssignments@2022-04-01' = { + name: guid(subscription().id, 'ManagedIdentityContributor', '${namePrefix}') + properties: { + roleDefinitionId: subscriptionResourceId('Microsoft.Authorization/roleDefinitions', 'f1a07417-d97a-45cb-824c-7a7467783830') // Managed Identity Operator + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + buildTimeoutInMinutes: 60 + imageReplicationRegions: [] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedImageName: '${namePrefix}-mi-${serviceShort}-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sigImageDefinitionId: nestedDependencies.outputs.sigImageDefinitionId + sigImageVersion: sigImageVersion + subnetId: nestedDependencies.outputs.subnetId + stagingResourceGroup: '${subscription().id}/resourcegroups/${stagingResourceGroupName}' + unManagedImageName: '${namePrefix}-umi-${serviceShort}-001' + userAssignedIdentities: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + userMsiName: nestedDependencies.outputs.managedIdentityName + userMsiResourceGroup: resourceGroupName + vmSize: 'Standard_D2s_v3' + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/web/connection/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..185384cf04 --- /dev/null +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,77 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wcmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + displayName: 'azuremonitorlogs' + name: 'azuremonitor' + api: { + id: '${subscription().id}/providers/Microsoft.Web/locations/westeurope/managedApis/azuremonitorlogs' + + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..a7f42aee7b --- /dev/null +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,13 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..ab5b234c99 --- /dev/null +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,107 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wsfmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + } +} + +// Diagnostics +// =========== +module diagnosticDependencies '../../../../../.shared/.templates/diagnostic.dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-diagnosticDependencies' + params: { + storageAccountName: 'dep${namePrefix}diasa${serviceShort}01' + logAnalyticsWorkspaceName: 'dep-${namePrefix}-law-${serviceShort}' + eventHubNamespaceEventHubName: 'dep-${namePrefix}-evh-${serviceShort}' + eventHubNamespaceName: 'dep-${namePrefix}-evhns-${serviceShort}' + location: location + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + sku: { + capacity: '1' + family: 'S' + name: 'S1' + size: 'S1' + tier: 'Standard' + } + diagnosticSettings: [ + { + name: 'customSetting' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + eventHubName: diagnosticDependencies.outputs.eventHubNamespaceEventHubName + eventHubAuthorizationRuleResourceId: diagnosticDependencies.outputs.eventHubAuthorizationRuleId + storageAccountResourceId: diagnosticDependencies.outputs.storageAccountResourceId + workspaceResourceId: diagnosticDependencies.outputs.logAnalyticsWorkspaceResourceId + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} diff --git a/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep b/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep new file mode 100644 index 0000000000..7939cfd2d2 --- /dev/null +++ b/modules/web/static-site/tests/e2e/waf-aligned/dependencies.bicep @@ -0,0 +1,94 @@ +@description('Optional. The location to deploy to.') +param location string = resourceGroup().location + +@description('Required. The name of the Virtual Network to create.') +param virtualNetworkName string + +@description('Required. The name of the Managed Identity to create.') +param managedIdentityName string + +@description('Required. The name of the Function App to create.') +param siteName string + +@description('Required. The name of the Server Farm to create.') +param serverFarmName string + +var addressPrefix = '10.0.0.0/16' + +resource virtualNetwork 'Microsoft.Network/virtualNetworks@2023-04-01' = { + name: virtualNetworkName + location: location + properties: { + addressSpace: { + addressPrefixes: [ + addressPrefix + ] + } + subnets: [ + { + name: 'defaultSubnet' + properties: { + addressPrefix: cidrSubnet(addressPrefix, 16, 0) + } + } + ] + } +} + +resource privateDNSZone 'Microsoft.Network/privateDnsZones@2020-06-01' = { + name: 'privatelink.azurestaticapps.net' + location: 'global' + + resource virtualNetworkLinks 'virtualNetworkLinks@2020-06-01' = { + name: '${virtualNetwork.name}-vnetlink' + location: 'global' + properties: { + virtualNetwork: { + id: virtualNetwork.id + } + registrationEnabled: false + } + } +} + +resource managedIdentity 'Microsoft.ManagedIdentity/userAssignedIdentities@2018-11-30' = { + name: managedIdentityName + location: location +} + +resource serverFarm 'Microsoft.Web/serverfarms@2022-03-01' = { + name: serverFarmName + location: location + sku: { + name: 'S1' + tier: 'Standard' + size: 'S1' + family: 'S' + capacity: 1 + } + properties: {} +} + +resource functionApp 'Microsoft.Web/sites@2022-03-01' = { + name: siteName + location: location + kind: 'functionapp' + properties: { + serverFarmId: serverFarm.id + } +} + +@description('The resource ID of the created Virtual Network Subnet.') +output subnetResourceId string = virtualNetwork.properties.subnets[0].id + +@description('The principal ID of the created Managed Identity.') +output managedIdentityPrincipalId string = managedIdentity.properties.principalId + +@description('The resource ID of the created Managed Identity.') +output managedIdentityResourceId string = managedIdentity.id + +@description('The resource ID of the created Private DNS zone.') +output privateDNSZoneResourceId string = privateDNSZone.id + +@description('The resource ID of the created Function App.') +output siteResourceId string = functionApp.id diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep new file mode 100644 index 0000000000..0a800c70a2 --- /dev/null +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -0,0 +1,109 @@ +targetScope = 'subscription' + +metadata name = 'Using large parameter set' +metadata description = 'This instance deploys the module with most of its features enabled.' + +// ========== // +// Parameters // +// ========== // + +@description('Optional. The name of the resource group to deploy for testing purposes.') +@maxLength(90) +param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceShort}-rg' + +@description('Optional. The location to deploy resources to.') +param location string = deployment().location + +@description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') +param serviceShort string = 'wssmax' + +@description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') +param enableDefaultTelemetry bool = true + +@description('Optional. A token to inject into the name of each resource.') +param namePrefix string = '[[namePrefix]]' + +// ============ // +// Dependencies // +// ============ // + +// General resources +// ================= +resource resourceGroup 'Microsoft.Resources/resourceGroups@2021-04-01' = { + name: resourceGroupName + location: location +} + +module nestedDependencies 'dependencies.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-nestedDependencies' + params: { + virtualNetworkName: 'dep-${namePrefix}-vnet-${serviceShort}' + managedIdentityName: 'dep-${namePrefix}-msi-${serviceShort}' + siteName: 'dep-${namePrefix}-fa-${serviceShort}' + serverFarmName: 'dep-${namePrefix}-sf-${serviceShort}' + } +} + +// ============== // +// Test Execution // +// ============== // + +module testDeployment '../../../main.bicep' = { + scope: resourceGroup + name: '${uniqueString(deployment().name, location)}-test-${serviceShort}' + params: { + enableDefaultTelemetry: enableDefaultTelemetry + name: '${namePrefix}${serviceShort}001' + allowConfigFileUpdates: true + enterpriseGradeCdnStatus: 'Disabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + subnetResourceId: nestedDependencies.outputs.subnetResourceId + privateDnsZoneResourceIds: [ + nestedDependencies.outputs.privateDNSZoneResourceId + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + roleDefinitionIdOrName: 'Reader' + principalId: nestedDependencies.outputs.managedIdentityPrincipalId + principalType: 'ServicePrincipal' + } + ] + sku: 'Standard' + stagingEnvironmentPolicy: 'Enabled' + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + nestedDependencies.outputs.managedIdentityResourceId + ] + } + appSettings: { + foo: 'bar' + setting: 1 + } + functionAppSettings: { + foo: 'bar' + setting: 1 + } + linkedBackend: { + resourceId: nestedDependencies.outputs.siteResourceId + } + tags: { + 'hidden-title': 'This is visible in the resource name' + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } +} From e46978f4c49b99cec03813ee7c35afc941f94f9e Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 5 Nov 2023 21:01:40 +0100 Subject: [PATCH 2/4] waf serviceshort --- .../aad/domain-service/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../server/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../service/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../configuration-store/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/app/job/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../managed-environment/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../authorization/lock/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../automation-account/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../batch/batch-account/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../redis-enterprise/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../account/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../availability-set/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/compute/image/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../ssh-public-key/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../consumption/budget/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../container-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../registry/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../data-factory/factory/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../backup-vault/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../access-connector/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../databricks/workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../application-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../host-pool/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../scaling-plan/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../system-topic/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../insights/action-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../activity-log-alert/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../insights/component/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../private-link-scope/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../extension/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../flux-configuration/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../management-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../application-gateway/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../azure-firewall/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/bastion-host/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../express-route-circuit/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../express-route-gateway/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../firewall-policy/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/front-door/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/load-balancer/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../local-network-gateway/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network-interface/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network-manager/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network-watcher/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../private-dns-zone/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../private-endpoint/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../private-link-service/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../public-ip-address/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/route-table/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../tests/e2e/waf-aligned/main.test.bicep | 2 +- .../trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../virtual-network/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../capacity/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/purview/account/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../vault/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../resource-graph/query/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../resource-group/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../search/search-service/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../azure-security-center/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../cluster/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../signal-r/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../web-pub-sub/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/sql/server/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../storage-account/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../private-link-hub/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep | 2 +- .../image-template/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/web/connection/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep | 2 +- modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep | 2 +- 115 files changed, 115 insertions(+), 115 deletions(-) diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep index 57a8a8aae6..d2d0c80f7a 100644 --- a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-aad.domainservices-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aaddsmax' +param serviceShort string = 'aaddswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep index 05de9c3d73..8b3250792b 100644 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-analysisservices.servers-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'assmax' +param serviceShort string = 'asswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index c1918b4ef4..f3eb933a6c 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-apimanagement.service-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'apismax' +param serviceShort string = 'apiswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index a87462b588..6f7e031d15 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-appconfiguration.configurati param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'accmax' +param serviceShort string = 'accwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep index 68cd3514ae..eb4fb59871 100644 --- a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.containerApps-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mcappmax' +param serviceShort string = 'mcappwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep index ad0bd71925..ecd9abf0a2 100644 --- a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.job-${serviceShort}-rg' param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ajmax' +param serviceShort string = 'ajwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep index 1843a5b3ce..aedcf4fca9 100644 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-app.managedenvironments-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'amemax' +param serviceShort string = 'amewaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep index b0a46425c0..e52db3e39f 100644 --- a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-authorization.locks-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'almax' +param serviceShort string = 'alwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index f0984bd8c6..e4f72eb1f7 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-automation.account-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'aamax' +param serviceShort string = 'aawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep index 87a36e6670..ec9a4382d1 100644 --- a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-batch.batchaccounts-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'bbamax' +param serviceShort string = 'bbawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep index ce2540744f..81d64ec2d3 100644 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cache.redisenterprise-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cremax' +param serviceShort string = 'crewaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep index 5162295ff3..ecb90d532f 100644 --- a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cache.redis-${serviceShort}- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crmax' +param serviceShort string = 'crwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep index 5298d3dc2c..c30bcc8981 100644 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cdn.profiles-${serviceShort} param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdnpmax' +param serviceShort string = 'cdnpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep index f548446c6c..bf4594aa55 100644 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-cognitiveservices.accounts-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'csamax' +param serviceShort string = 'csawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep index c05e914de3..162688273e 100644 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.availabilitysets-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'casmax' +param serviceShort string = 'caswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index d854daacec..f4a4a14719 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.diskencryptionsets-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdesmax' +param serviceShort string = 'cdeswaf' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep index 7916ad9f61..32c1327494 100644 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShor param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cdmax' +param serviceShort string = 'cdwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep index a93ee28315..a2d750f0df 100644 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.galleries-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cgmax' +param serviceShort string = 'cgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep index 7b5bd31348..a1674468fc 100644 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.images-${serviceShor param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cimax' +param serviceShort string = 'ciwaf' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep index 93f79eb2fe..c71530b091 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-compute.proximityplacementgr param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cppgmax' +param serviceShort string = 'cppgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep index a35550fe1c..83a4c0a217 100644 --- a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep @@ -16,7 +16,7 @@ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') @maxLength(7) -param serviceShort string = 'cspkmax' +param serviceShort string = 'cspkwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep index 691655f30f..b8750414d2 100644 --- a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cbmax' +param serviceShort string = 'cbwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep index d98a8c184b..c542bde291 100644 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-containerinstance.containerg param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'cicgmax' +param serviceShort string = 'cicgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index 5a9631cb3d..023a2b4d3e 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-containerregistry.registries param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'crrmax' +param serviceShort string = 'crrwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 8e8dd7f0ad..467374587b 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-datafactory.factories-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dffmax' +param serviceShort string = 'dffwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep index 9a85777eb1..0ceca5b7de 100644 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-dataprotection.backupvaults- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dpbvmax' +param serviceShort string = 'dpbvwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index d67edfcaff..0832635368 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-databricks.accessconnectors- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dacmax' +param serviceShort string = 'dacwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index cbf4a382c1..a5966c73a5 100644 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-databricks.workspaces-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dwmax' +param serviceShort string = 'dwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep index 115ba77ed7..1aaedaea74 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.applic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvagmax' +param serviceShort string = 'dvagwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep index d48cbdcade..2bf0bd38cc 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.hostpo param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvhpmax' +param serviceShort string = 'dvhpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep index b8426b2533..8aa71a7192 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.scalin param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvspmax' +param serviceShort string = 'dvspwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep index 565fbfe6a8..aa5f090053 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-desktopvirtualization.worksp param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dvwmax' +param serviceShort string = 'dvwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 302920b17e..48a4f0cb6b 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-devtestlab.labs-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtllmax' +param serviceShort string = 'dtllwaf' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 6b1f42d08a..18ddbe5fe0 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-digitaltwins.digitaltwinsins param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'dtdtimax' +param serviceShort string = 'dtdtiwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep index de3be09b26..638ac05841 100644 --- a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.domains-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egdmax' +param serviceShort string = 'egdwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep index a1fe7d4bf5..d953b7ca3c 100644 --- a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.systemtopics-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egstmax' +param serviceShort string = 'egstwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep index 3ca8f6121e..6eae44cab6 100644 --- a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventgrid.topics-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'egtmax' +param serviceShort string = 'egtwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep index edfc8d7534..46d64cad24 100644 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-eventhub.namespaces-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ehnmax' +param serviceShort string = 'ehnwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index 5f1fafa9ee..46f5bb7094 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-healthbot.healthbots-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hbhbmax' +param serviceShort string = 'hbhbwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep index 5e4f905ce5..c6baef56db 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-healthcareapis.workspaces-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'hawmax' +param serviceShort string = 'hawwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep index 7a156298a2..3c6b2af9d2 100644 --- a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.actiongroups-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iagmax' +param serviceShort string = 'iagwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep index 74452e4c5f..f28a14b5ef 100644 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.activityLogAlerts-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ialamax' +param serviceShort string = 'ialawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep index e272985a9c..6a5019e911 100644 --- a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.components-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'icmax' +param serviceShort string = 'icwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep index 0bcea4cb4a..5fee251271 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.dataCollectionEndpo param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idcemax' +param serviceShort string = 'idcewaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep index b26c05e269..1cb3f4e768 100644 --- a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.diagnosticsettings- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'idsmax' +param serviceShort string = 'idswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep index f9cc7d5482..9cf53b311a 100644 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.metricalerts-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'imamax' +param serviceShort string = 'imawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index 6b92ace5e2..8188d7e4c1 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.privatelinkscopes-$ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iplsmax' +param serviceShort string = 'iplswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep index d8bc06cf5e..ef5c2d8690 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.scheduledqueryrules param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'isqrmax' +param serviceShort string = 'isqrwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep index 1a552a552b..08eab5ba2f 100644 --- a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-insights.webtests-${serviceS param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'iwtmax' +param serviceShort string = 'iwtwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep index 16392f9744..09b81281ae 100644 --- a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-keyvault.vaults-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kvvmax' +param serviceShort string = 'kvvwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep index c371a3c0d2..01b9f49a9b 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.exte param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcemax' +param serviceShort string = 'kcewaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep index 9a9c757de1..615feee7d2 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-kubernetesconfiguration.flux param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'kcfcmax' +param serviceShort string = 'kcfcwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep index 5ab05e3420..170a018bff 100644 --- a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-logic.workflows-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'lwmax' +param serviceShort string = 'lwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep index ba4a782be3..3810841417 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-machinelearningservices.work param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mlswmax' +param serviceShort string = 'mlswwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep index 980dcf5100..b17c39eb24 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-maintenance.maintenanceconfi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmcmax' +param serviceShort string = 'mmcwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index bd4e76dc48..c425af6402 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-managedidentity.userassigned param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'miuaimax' +param serviceShort string = 'miuaiwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep index 09e848751a..75f0cef773 100644 --- a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'msrdmax' +param serviceShort string = 'msrdwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep index 41256aa624..b0da99a45e 100644 --- a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep @@ -8,7 +8,7 @@ metadata description = 'This instance deploys the module with most of its featur // ========== // @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'mmgmax' +param serviceShort string = 'mmgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index a06afa8f68..3969836c01 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationGatewayWe param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpmax' +param serviceShort string = 'nagwafpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index 9359135a3f..8dad883461 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationgateways- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagmax' +param serviceShort string = 'nagwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep index 338980479c..f9b085d772 100644 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.applicationsecurityg param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nasgmax' +param serviceShort string = 'nasgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep index 654c2e950c..73263ae534 100644 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.azurefirewalls-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nafmax' +param serviceShort string = 'nafwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep index c601028796..82262adf93 100644 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.bastionhosts-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nbhmax' +param serviceShort string = 'nbhwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep index 5ef4541d51..860f39fd7c 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.ddosprotectionplans- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndppmax' +param serviceShort string = 'ndppwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep index 62b410d4e1..eac5141cfe 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnsForwardingRuleset param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndfrsmax' +param serviceShort string = 'ndfrswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep index a15b78dbf0..e982dc4056 100644 --- a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnsResolvers-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndrmax' +param serviceShort string = 'ndrwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep index f1ec3b4b4a..ac5a9aa82b 100644 --- a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.dnszones-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ndzmax' +param serviceShort string = 'ndzwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep index 3243abdb14..cb24080ab7 100644 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.expressroutecircuits param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nercmax' +param serviceShort string = 'nercwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index 1578837962..b7261b9006 100644 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.expressRouteGateway- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nergmax' +param serviceShort string = 'nergwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 880b8de836..86b953679c 100644 --- a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.firewallpolicies-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfpmax' +param serviceShort string = 'nfpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 7bce666da5..1fe1753cf9 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.frontdoorWebApplicat param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nagwafpmax' +param serviceShort string = 'nagwafpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep index bb77bb9c3e..e5b122edf2 100644 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.frontdoors-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nfdmax' +param serviceShort string = 'nfdwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep index 568ddb0caa..31bd059830 100644 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.ipgroups-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nigmax' +param serviceShort string = 'nigwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep index 9d7f2ac2d5..5451e2a225 100644 --- a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.loadbalancers-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlbmax' +param serviceShort string = 'nlbwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep index c320c4dba1..3c425d32c8 100644 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.localnetworkgateways param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nlngmax' +param serviceShort string = 'nlngwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep index 36cd281d6e..813433ae8a 100644 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.natgateways-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nngmax' +param serviceShort string = 'nngwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep index 586661dbc4..10b13eb5f8 100644 --- a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networkinterfaces-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnimax' +param serviceShort string = 'nniwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep index a1cb6fb4f6..9775808534 100644 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networkmanagers-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnmmax' +param serviceShort string = 'nnmwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep index ba20a64fbc..a08f2f5c07 100644 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.networksecuritygroup param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnsgmax' +param serviceShort string = 'nnsgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep index d4dcd43292..b8fcba0ec0 100644 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'NetworkWatcherRG' // Note, this is the default param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nnwmax' +param serviceShort string = 'nnwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep index d62a97edb9..081dc5c6c1 100644 --- a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privatednszones-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npdzmax' +param serviceShort string = 'npdzwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep index dcb523c227..fd57bffe43 100644 --- a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privateendpoints-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npemax' +param serviceShort string = 'npewaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep index 8333f18672..c0094b8bc9 100644 --- a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.privatelinkservices- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nplsmax' +param serviceShort string = 'nplswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep index aed225af85..044a3173db 100644 --- a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.publicipaddresses-${ param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npiamax' +param serviceShort string = 'npiawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep index 8e6d167811..eb709a7ac1 100644 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.publicipprefixes-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'npipmax' +param serviceShort string = 'npipwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep index 591f42c921..3caae20917 100644 --- a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.routetables-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nrtmax' +param serviceShort string = 'nrtwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep index 383bd64097..9cc7e98f43 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.serviceendpointpolic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nsnpmax' +param serviceShort string = 'nsnpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep index e33f38cf77..83106cc568 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.trafficmanagerprofil param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ntmpmax' +param serviceShort string = 'ntmpwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep index 40bfcc913c..4aee8cd296 100644 --- a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualHub-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvhmax' +param serviceShort string = 'nvhwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep index 5a84c91f10..51abbe0f8e 100644 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualnetworks-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvnmax' +param serviceShort string = 'nvnwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep index d0dd150785..d2671fd741 100644 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.virtualwans-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvwmax' +param serviceShort string = 'nvwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep index 798de44466..d182063697 100644 --- a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.vpngateways-${servic param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvgmax' +param serviceShort string = 'nvgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep index 8f0bab6726..22286a4861 100644 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-network.vpnSites-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'nvsmax' +param serviceShort string = 'nvswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep index a3d86cf782..42b0858092 100644 --- a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-operationalinsights.workspac param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'oiwmax' +param serviceShort string = 'oiwwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep index fac442cdfe..9ca0870b86 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-powerbidedicated.capacities- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pbdcapmax' +param serviceShort string = 'pbdcapwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index aa24c189e1..aacd2d49f5 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -14,7 +14,7 @@ param resourceGroupName string = 'dep-${namePrefix}-purview-${serviceShort}-rg' param location string = 'eastus' // Only available in selected locations: eastus, eastus2, southcentralus, westcentralus, westus, westus2, westus3 @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'pvamax' +param serviceShort string = 'pvawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index 5184d05b9b..412b60ed34 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-recoveryservices.vaults-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rsvmax' +param serviceShort string = 'rsvwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep index d438ec09ec..28d76d1e2a 100644 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-relay.namespaces-${serviceSh param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rnmax' +param serviceShort string = 'rnwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep index 8ff4e69568..2b19e11e33 100644 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-resourcegraph.queries-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rgqmax' +param serviceShort string = 'rgqwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep index 91f263f885..b2184ff80d 100644 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-resources.resourcegroups-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'rrgmax' +param serviceShort string = 'rrgwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep index 90a01b9be8..7c3f4ba730 100644 --- a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-search.searchservices-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sssmax' +param serviceShort string = 'ssswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep index 1118563116..5aa78ce94f 100644 --- a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-security.azureSecurityCenter param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sascmax' +param serviceShort string = 'sascwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep index 617b5a4832..6caa94722f 100644 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-servicebus.namespaces-${serv param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sbnmax' +param serviceShort string = 'sbnwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep index c566919098..6e0bbabaa5 100644 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-servicefabric.clusters-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sfcmax' +param serviceShort string = 'sfcwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep index 751e1286fd..27cadf9d2f 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-signalrservice.signalr-${ser param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srssrmax' +param serviceShort string = 'srssrwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep index 007c6f0032..f268d12aff 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-signalrservice.webpubsub-${s param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'srswpsmax' +param serviceShort string = 'srswpswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index 401b4c47a9..cfb478e53a 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-sql.managedinstances-${servi param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlmimax' +param serviceShort string = 'sqlmiwaf' @description('Generated. Used as a basis for unique resource names.') param baseTime string = utcNow('u') diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index bea350e17c..2546c5129a 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-sql.servers-${serviceShort}- param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'sqlsmax' +param serviceShort string = 'sqlswaf' @description('Optional. The password to leverage for the login.') @secure() diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index 60b068d260..c5c29a5a21 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-storage.storageaccounts-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'ssamax' +param serviceShort string = 'ssawaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep index 5f1dc18c70..ae9f60f7cb 100644 --- a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-synapse.privatelinkhubs-${se param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'splhmax' +param serviceShort string = 'splhwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index 70526bbe29..3743263eb1 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-synapse.workspaces-${service param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'swmax' +param serviceShort string = 'swwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep index 254fadcce6..1e786d42b0 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-virtualmachineimages.imagete param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'vmiitmax' +param serviceShort string = 'vmiitwaf' @description('Optional. The version of the Azure Compute Gallery Image Definition to be added.') param sigImageVersion string = utcNow('yyyy.MM.dd') diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep index 185384cf04..1b7a62c44a 100644 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.connections-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wcmax' +param serviceShort string = 'wcwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep index ab5b234c99..946d6bdaa4 100644 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.serverfarms-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wsfmax' +param serviceShort string = 'wsfwaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index 0a800c70a2..a122836e7e 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -15,7 +15,7 @@ param resourceGroupName string = 'dep-${namePrefix}-web.staticsites-${serviceSho param location string = deployment().location @description('Optional. A short identifier for the kind of deployment. Should be kept short to not run into resource-name length-constraints.') -param serviceShort string = 'wssmax' +param serviceShort string = 'wsswaf' @description('Optional. Enable telemetry via a Globally Unique Identifier (GUID).') param enableDefaultTelemetry bool = true From c1b47ff11915e84ed91eecdccfe65d5f5051418d Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 5 Nov 2023 21:14:16 +0100 Subject: [PATCH 3/4] waf metadata --- .../aad/domain-service/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../server/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../service/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../configuration-store/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../app/container-app/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/app/job/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../managed-environment/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../authorization/lock/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../automation-account/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../batch/batch-account/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../redis-enterprise/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../account/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../availability-set/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/compute/image/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../ssh-public-key/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../consumption/budget/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../container-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../registry/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../factory/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../backup-vault/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../access-connector/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../application-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../host-pool/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../scaling-plan/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../event-grid/domain/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../system-topic/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../event-grid/topic/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../health-bot/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../action-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../activity-log-alert/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../insights/component/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../metric-alert/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../private-link-scope/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../insights/webtest/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../extension/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../flux-configuration/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../management-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../application-gateway/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../azure-firewall/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../bastion-host/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../dns-resolver/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/dns-zone/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../firewall-policy/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/front-door/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/ip-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../load-balancer/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network-interface/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network-manager/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network-watcher/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../private-dns-zone/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../private-endpoint/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../public-ip-address/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/route-table/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../virtual-network/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../network/vpn-site/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../capacity/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/purview/account/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../vault/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../query/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../resource-group/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../search-service/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../namespace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../cluster/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../signal-r/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../web-pub-sub/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../managed-instance/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/sql/server/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../storage-account/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../private-link-hub/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../synapse/workspace/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- .../image-template/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/web/connection/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep | 4 ++-- 115 files changed, 230 insertions(+), 230 deletions(-) diff --git a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep index d2d0c80f7a..605f339c95 100644 --- a/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/aad/domain-service/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep index 8b3250792b..7d160d3715 100644 --- a/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/analysis-services/server/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep index f3eb933a6c..e6246837b8 100644 --- a/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/api-management/service/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep index 6f7e031d15..22770e01be 100644 --- a/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app-configuration/configuration-store/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep index eb4fb59871..baa721dd00 100644 --- a/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/container-app/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep index ecd9abf0a2..267c39bb21 100644 --- a/modules/app/job/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/job/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep index aedcf4fca9..49d64c4d2c 100644 --- a/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/app/managed-environment/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep index e52db3e39f..0ed75a7621 100644 --- a/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/authorization/lock/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep index e4f72eb1f7..ebff0d4bc1 100644 --- a/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/automation/automation-account/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep index ec9a4382d1..20fbc393af 100644 --- a/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/batch/batch-account/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep index 81d64ec2d3..cd0e90a7d9 100644 --- a/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis-enterprise/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep index ecb90d532f..814b68ace3 100644 --- a/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cache/redis/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep index c30bcc8981..8df82c8a93 100644 --- a/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cdn/profile/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep index bf4594aa55..6db604335b 100644 --- a/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/cognitive-services/account/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep index 162688273e..01bac9f002 100644 --- a/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/availability-set/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep index f4a4a14719..e5354c3489 100644 --- a/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk-encryption-set/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep index 32c1327494..95bd0f5d73 100644 --- a/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/disk/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep index a2d750f0df..755e9e49c5 100644 --- a/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/gallery/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep index a1674468fc..83e55ae5ed 100644 --- a/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/image/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep index c71530b091..d58853a01e 100644 --- a/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/proximity-placement-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep index 83a4c0a217..e432ba94de 100644 --- a/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/compute/ssh-public-key/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep index b8750414d2..ec51e97926 100644 --- a/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/consumption/budget/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep index c542bde291..389ed3cfc7 100644 --- a/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-instance/container-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep index 023a2b4d3e..c2373864c7 100644 --- a/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/container-registry/registry/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep index 467374587b..8c332672b1 100644 --- a/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-factory/factory/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep index 0ceca5b7de..ef8e13b397 100644 --- a/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/data-protection/backup-vault/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep index 0832635368..e61783c03c 100644 --- a/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/access-connector/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep index a5966c73a5..4f74e4d560 100644 --- a/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/databricks/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep index 1aaedaea74..eb507bfeaf 100644 --- a/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/application-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep index 2bf0bd38cc..6499c1f67f 100644 --- a/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/host-pool/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep index 8aa71a7192..0c02e7560e 100644 --- a/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/scaling-plan/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep index aa5f090053..e6907c5ee2 100644 --- a/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/desktop-virtualization/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep index 48a4f0cb6b..5c1f2064a6 100644 --- a/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/dev-test-lab/lab/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep index 18ddbe5fe0..2c2f2e28ca 100644 --- a/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/digital-twins/digital-twins-instance/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep index 638ac05841..bdb9c0b651 100644 --- a/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/domain/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep index d953b7ca3c..0ca8feb5b6 100644 --- a/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/system-topic/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep index 6eae44cab6..d093b9d5b8 100644 --- a/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-grid/topic/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep index 46d64cad24..53ec10b8b5 100644 --- a/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/event-hub/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep index 46f5bb7094..798f69c2f9 100644 --- a/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/health-bot/health-bot/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep index c6baef56db..bad448e7e7 100644 --- a/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/healthcare-apis/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep index 3c6b2af9d2..6059b1d2fd 100644 --- a/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/action-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep index f28a14b5ef..e44bab24e9 100644 --- a/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/activity-log-alert/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep index 6a5019e911..19788dc94b 100644 --- a/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/component/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep index 5fee251271..e587afcd6a 100644 --- a/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/data-collection-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep index 1cb3f4e768..7836a24eed 100644 --- a/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/diagnostic-setting/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep index 9cf53b311a..ee7bf8abbd 100644 --- a/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/metric-alert/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep index 8188d7e4c1..bda1d61e70 100644 --- a/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/private-link-scope/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep index ef5c2d8690..6c924009a5 100644 --- a/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/scheduled-query-rule/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep index 08eab5ba2f..0fcdae082d 100644 --- a/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/insights/webtest/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep index 09b81281ae..edca2e6418 100644 --- a/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/key-vault/vault/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep index 01b9f49a9b..bfcc8c9102 100644 --- a/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/extension/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep index 615feee7d2..900a2585ff 100644 --- a/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/kubernetes-configuration/flux-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep index 170a018bff..d2a5747507 100644 --- a/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/logic/workflow/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep index 3810841417..2c0000e5e5 100644 --- a/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/machine-learning-services/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep index b17c39eb24..467bb46bba 100644 --- a/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/maintenance/maintenance-configuration/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep index c425af6402..fababf8321 100644 --- a/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-identity/user-assigned-identity/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep index 75f0cef773..553e1b72b9 100644 --- a/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/managed-services/registration-definition/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep index b0da99a45e..8ccb083802 100644 --- a/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/management/management-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'managementGroup' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 3969836c01..0629a475af 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep index 8dad883461..43b1c3d630 100644 --- a/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep index f9b085d772..052a71f7b1 100644 --- a/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/application-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep index 73263ae534..beb7ff6624 100644 --- a/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/azure-firewall/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep index 82262adf93..30d7f82891 100644 --- a/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/bastion-host/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep index 860f39fd7c..8bdf24f0bd 100644 --- a/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ddos-protection-plan/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep index eac5141cfe..d6dfab9955 100644 --- a/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-forwarding-ruleset/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep index e982dc4056..8748710b28 100644 --- a/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-resolver/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep index ac5a9aa82b..6e754253e1 100644 --- a/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep index cb24080ab7..a7c2a372a3 100644 --- a/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-circuit/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep index b7261b9006..3c237372da 100644 --- a/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/express-route-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 86b953679c..2c496ca64e 100644 --- a/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep index 1fe1753cf9..f7f4e7fad3 100644 --- a/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door-web-application-firewall-policy/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep index e5b122edf2..7767577465 100644 --- a/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/front-door/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep index 31bd059830..124d1cdf86 100644 --- a/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/ip-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep index 5451e2a225..f0a9319226 100644 --- a/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/load-balancer/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep index 3c425d32c8..e47e0f4ebc 100644 --- a/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/local-network-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep index 813433ae8a..024f35b432 100644 --- a/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/nat-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep index 10b13eb5f8..218c13495c 100644 --- a/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-interface/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep index 9775808534..0b70f2b7b8 100644 --- a/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-manager/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep index a08f2f5c07..7c9ac93549 100644 --- a/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-security-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep index b8fcba0ec0..730c05be9e 100644 --- a/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/network-watcher/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep index 081dc5c6c1..116e5bb75b 100644 --- a/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-dns-zone/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep index fd57bffe43..4e7c2b4c1f 100644 --- a/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-endpoint/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep index c0094b8bc9..c327e89f13 100644 --- a/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/private-link-service/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep index 044a3173db..61d5598c0e 100644 --- a/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-address/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep index eb709a7ac1..298ddcbc5d 100644 --- a/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/public-ip-prefix/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep index 3caae20917..83c92c0105 100644 --- a/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/route-table/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep index 9cc7e98f43..f2a407ed2a 100644 --- a/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/service-endpoint-policy/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep index 83106cc568..a1a7cb5738 100644 --- a/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/trafficmanagerprofile/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep index 4aee8cd296..8ca1b21cbd 100644 --- a/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-hub/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep index 51abbe0f8e..58a38a9530 100644 --- a/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-network/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep index d2671fd741..748fcbeaac 100644 --- a/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/virtual-wan/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep index d182063697..7d7999ab09 100644 --- a/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-gateway/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep index 22286a4861..66ea85793c 100644 --- a/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/network/vpn-site/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep index 42b0858092..92f24e5733 100644 --- a/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/operational-insights/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep index 9ca0870b86..204d4c8d00 100644 --- a/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/power-bi-dedicated/capacity/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep index aacd2d49f5..1fc2ee5e43 100644 --- a/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/purview/account/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep index 412b60ed34..c61f06f157 100644 --- a/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/recovery-services/vault/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep index 28d76d1e2a..2e3268af07 100644 --- a/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/relay/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep index 2b19e11e33..5858166d43 100644 --- a/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resource-graph/query/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep index b2184ff80d..d5e6d7df88 100644 --- a/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/resources/resource-group/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep index 7c3f4ba730..c01e840d45 100644 --- a/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/search/search-service/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep index 5aa78ce94f..1bb6ec0985 100644 --- a/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/security/azure-security-center/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep index 6caa94722f..2d7aac3873 100644 --- a/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-bus/namespace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep index 6e0bbabaa5..6b1ad668cc 100644 --- a/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/service-fabric/cluster/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep index 27cadf9d2f..5c88da4283 100644 --- a/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/signal-r/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep index f268d12aff..2391c085b0 100644 --- a/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/signal-r-service/web-pub-sub/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep index cfb478e53a..c5846900f8 100644 --- a/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/managed-instance/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep index 2546c5129a..c9e7ee69cf 100644 --- a/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/sql/server/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep index c5c29a5a21..0c03921624 100644 --- a/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/storage/storage-account/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep index ae9f60f7cb..c5b50dbbd7 100644 --- a/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/private-link-hub/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep index 3743263eb1..cd02520ced 100644 --- a/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/synapse/workspace/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep index 1e786d42b0..7e2e523fee 100644 --- a/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/virtual-machine-images/image-template/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep index 1b7a62c44a..acc6afbcd9 100644 --- a/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/connection/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep index 946d6bdaa4..b6be6a4df6 100644 --- a/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/serverfarm/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // diff --git a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep index a122836e7e..0b1be9250e 100644 --- a/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep +++ b/modules/web/static-site/tests/e2e/waf-aligned/main.test.bicep @@ -1,7 +1,7 @@ targetScope = 'subscription' -metadata name = 'Using large parameter set' -metadata description = 'This instance deploys the module with most of its features enabled.' +metadata name = 'WAF-aligned' +metadata description = 'This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework.' // ========== // // Parameters // From 6a4f113577e85ed45b02a99efc3ee59e3b619a69 Mon Sep 17 00:00:00 2001 From: Erika Gressi Date: Sun, 5 Nov 2023 22:58:58 +0100 Subject: [PATCH 4/4] waf readme --- modules/aad/domain-service/README.md | 129 +++ modules/analysis-services/server/README.md | 163 +++ modules/api-management/service/README.md | 371 +++++++ .../configuration-store/README.md | 177 ++++ modules/app/container-app/README.md | 163 +++ modules/app/job/README.md | 199 ++++ modules/app/managed-environment/README.md | 101 ++ modules/authorization/lock/README.md | 57 ++ .../automation/automation-account/README.md | 457 +++++++++ modules/batch/batch-account/README.md | 183 ++++ modules/cache/redis-enterprise/README.md | 195 ++++ modules/cache/redis/README.md | 183 ++++ modules/cdn/profile/README.md | 149 +++ modules/cognitive-services/account/README.md | 201 ++++ modules/compute/availability-set/README.md | 91 ++ modules/compute/disk-encryption-set/README.md | 107 ++ modules/compute/disk/README.md | 115 +++ modules/compute/gallery/README.md | 325 ++++++ modules/compute/image/README.md | 113 +++ .../proximity-placement-group/README.md | 127 +++ modules/compute/ssh-public-key/README.md | 53 + modules/consumption/budget/README.md | 77 ++ .../container-group/README.md | 201 ++++ modules/container-registry/registry/README.md | 257 +++++ modules/data-factory/factory/README.md | 247 +++++ .../data-protection/backup-vault/README.md | 225 +++++ modules/databricks/access-connector/README.md | 105 ++ modules/databricks/workspace/README.md | 247 +++++ .../application-group/README.md | 165 ++++ .../host-pool/README.md | 207 ++++ .../scaling-plan/README.md | 191 ++++ .../workspace/README.md | 127 +++ modules/dev-test-lab/lab/README.md | 543 ++++++++++ .../digital-twins-instance/README.md | 181 ++++ modules/event-grid/domain/README.md | 169 ++++ modules/event-grid/system-topic/README.md | 183 ++++ modules/event-grid/topic/README.md | 211 ++++ modules/event-hub/namespace/README.md | 397 ++++++++ modules/health-bot/health-bot/README.md | 103 ++ modules/healthcare-apis/workspace/README.md | 283 ++++++ modules/insights/action-group/README.md | 123 +++ modules/insights/activity-log-alert/README.md | 163 +++ modules/insights/component/README.md | 111 +++ .../data-collection-endpoint/README.md | 95 ++ modules/insights/diagnostic-setting/README.md | 73 ++ modules/insights/metric-alert/README.md | 125 +++ modules/insights/private-link-scope/README.md | 118 +++ .../insights/scheduled-query-rule/README.md | 165 ++++ modules/insights/webtest/README.md | 99 ++ modules/key-vault/vault/README.md | 303 ++++++ .../extension/README.md | 115 +++ .../flux-configuration/README.md | 103 ++ modules/logic/workflow/README.md | 195 ++++ .../workspace/README.md | 253 +++++ .../maintenance-configuration/README.md | 153 +++ .../user-assigned-identity/README.md | 105 ++ .../registration-definition/README.md | 93 ++ modules/management/management-group/README.md | 57 ++ .../README.md | 103 ++ modules/network/application-gateway/README.md | 935 ++++++++++++++++++ .../application-security-group/README.md | 87 ++ modules/network/azure-firewall/README.md | 303 ++++++ modules/network/bastion-host/README.md | 139 +++ .../network/ddos-protection-plan/README.md | 87 ++ .../network/dns-forwarding-ruleset/README.md | 131 +++ modules/network/dns-resolver/README.md | 93 ++ modules/network/dns-zone/README.md | 401 ++++++++ .../network/express-route-circuit/README.md | 141 +++ .../network/express-route-gateway/README.md | 97 ++ modules/network/firewall-policy/README.md | 147 +++ .../README.md | 221 +++++ modules/network/front-door/README.md | 279 ++++++ modules/network/ip-group/README.md | 97 ++ modules/network/load-balancer/README.md | 289 ++++++ .../network/local-network-gateway/README.md | 107 ++ modules/network/nat-gateway/README.md | 153 +++ modules/network/network-interface/README.md | 167 ++++ modules/network/network-manager/README.md | 451 +++++++++ .../network/network-security-group/README.md | 237 +++++ modules/network/network-watcher/README.md | 219 ++++ modules/network/private-dns-zone/README.md | 407 ++++++++ modules/network/private-endpoint/README.md | 163 +++ .../network/private-link-service/README.md | 163 +++ modules/network/public-ip-address/README.md | 137 +++ modules/network/public-ip-prefix/README.md | 91 ++ modules/network/route-table/README.md | 109 ++ .../network/service-endpoint-policy/README.md | 115 +++ .../network/trafficmanagerprofile/README.md | 121 +++ modules/network/virtual-hub/README.md | 135 +++ modules/network/virtual-network/README.md | 231 +++++ modules/network/virtual-wan/README.md | 103 ++ modules/network/vpn-gateway/README.md | 151 +++ modules/network/vpn-site/README.md | 177 ++++ .../operational-insights/workspace/README.md | 409 ++++++++ modules/power-bi-dedicated/capacity/README.md | 99 ++ modules/purview/account/README.md | 291 ++++++ modules/recovery-services/vault/README.md | 687 +++++++++++++ modules/relay/namespace/README.md | 289 ++++++ modules/resource-graph/query/README.md | 95 ++ modules/resources/resource-group/README.md | 87 ++ modules/search/search-service/README.md | 193 ++++ .../security/azure-security-center/README.md | 63 ++ modules/service-bus/namespace/README.md | 391 ++++++++ modules/service-fabric/cluster/README.md | 415 ++++++++ modules/signal-r-service/signal-r/README.md | 193 ++++ .../signal-r-service/web-pub-sub/README.md | 199 ++++ modules/sql/managed-instance/README.md | 293 ++++++ modules/sql/server/README.md | 319 ++++++ modules/storage/storage-account/README.md | 615 ++++++++++++ modules/synapse/private-link-hub/README.md | 127 +++ modules/synapse/workspace/README.md | 173 ++++ .../image-template/README.md | 173 ++++ modules/web/connection/README.md | 99 ++ modules/web/serverfarm/README.md | 133 +++ modules/web/static-site/README.md | 173 ++++ 115 files changed, 22730 insertions(+) diff --git a/modules/aad/domain-service/README.md b/modules/aad/domain-service/README.md index 1330a6f5ec..673231c2f7 100644 --- a/modules/aad/domain-service/README.md +++ b/modules/aad/domain-service/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/aad.domain-service:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -158,6 +159,134 @@ module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module domainService 'br:bicep/modules/aad.domain-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aaddswaf' + params: { + // Required parameters + domainName: 'onmicrosoft.com' + // Non-required parameters + additionalRecipients: [ + '@noreply.github.com' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + name: 'aaddswaf001' + pfxCertificate: '' + pfxCertificatePassword: '' + replicaSets: [ + { + location: 'WestEurope' + subnetId: '' + } + ] + sku: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "domainName": { + "value": "onmicrosoft.com" + }, + // Non-required parameters + "additionalRecipients": { + "value": [ + "@noreply.github.com" + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "name": { + "value": "aaddswaf001" + }, + "pfxCertificate": { + "value": "" + }, + "pfxCertificatePassword": { + "value": "" + }, + "replicaSets": { + "value": [ + { + "location": "WestEurope", + "subnetId": "" + } + ] + }, + "sku": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/analysis-services/server/README.md b/modules/analysis-services/server/README.md index 73d7a21652..c35c2a2be3 100644 --- a/modules/analysis-services/server/README.md +++ b/modules/analysis-services/server/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -240,6 +241,168 @@ module server 'br:bicep/modules/analysis-services.server:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/analysis-services.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-asswaf' + params: { + // Required parameters + name: 'asswaf' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'Engine' + } + { + category: 'Service' + } + ] + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + firewallSettings: { + enablePowerBIService: true + firewallRules: [ + { + firewallRuleName: 'AllowFromAll' + rangeEnd: '255.255.255.255' + rangeStart: '0.0.0.0' + } + ] + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 1 + skuName: 'S0' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "asswaf" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "Engine" + }, + { + "category": "Service" + } + ], + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "firewallSettings": { + "value": { + "enablePowerBIService": true, + "firewallRules": [ + { + "firewallRuleName": "AllowFromAll", + "rangeEnd": "255.255.255.255", + "rangeStart": "0.0.0.0" + } + ] + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 1 + }, + "skuName": { + "value": "S0" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/api-management/service/README.md b/modules/api-management/service/README.md index 49ae4a583a..64ee78c465 100644 --- a/modules/api-management/service/README.md +++ b/modules/api-management/service/README.md @@ -44,6 +44,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -471,6 +472,376 @@ module service 'br:bicep/modules/api-management.service:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module service 'br:bicep/modules/api-management.service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-apiswaf' + params: { + // Required parameters + name: 'apiswaf001' + publisherEmail: 'apimgmt-noreply@mail.windowsazure.com' + publisherName: 'az-amorg-x-001' + // Non-required parameters + apis: [ + { + apiVersionSet: { + name: 'echo-version-set' + properties: { + description: 'echo-version-set' + displayName: 'echo-version-set' + versioningScheme: 'Segment' + } + } + displayName: 'Echo API' + name: 'echo-api' + path: 'echo' + serviceUrl: 'http://echoapi.cloudapp.net/api' + } + ] + authorizationServers: { + secureList: [ + { + authorizationEndpoint: '' + clientId: 'apimclientid' + clientRegistrationEndpoint: 'http://localhost' + clientSecret: '' + grantTypes: [ + 'authorizationCode' + ] + name: 'AuthServer1' + tokenEndpoint: '' + } + ] + } + backends: [ + { + name: 'backend' + tls: { + validateCertificateChain: false + validateCertificateName: false + } + url: 'http://echoapi.cloudapp.net/api' + } + ] + caches: [ + { + connectionString: 'connectionstringtest' + name: 'westeurope' + useFromLocation: 'westeurope' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + identityProviders: [ + { + name: 'aadProvider' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + namedValues: [ + { + displayName: 'apimkey' + name: 'apimkey' + secret: true + } + ] + policies: [ + { + format: 'xml' + value: ' ' + } + ] + portalsettings: [ + { + name: 'signin' + properties: { + enabled: false + } + } + { + name: 'signup' + properties: { + enabled: false + termsOfService: { + consentRequired: false + enabled: false + } + } + } + ] + products: [ + { + apis: [ + { + name: 'echo-api' + } + ] + approvalRequired: false + groups: [ + { + name: 'developers' + } + ] + name: 'Starter' + subscriptionRequired: false + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subscriptions: [ + { + name: 'testArmSubscriptionAllApis' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "apiswaf001" + }, + "publisherEmail": { + "value": "apimgmt-noreply@mail.windowsazure.com" + }, + "publisherName": { + "value": "az-amorg-x-001" + }, + // Non-required parameters + "apis": { + "value": [ + { + "apiVersionSet": { + "name": "echo-version-set", + "properties": { + "description": "echo-version-set", + "displayName": "echo-version-set", + "versioningScheme": "Segment" + } + }, + "displayName": "Echo API", + "name": "echo-api", + "path": "echo", + "serviceUrl": "http://echoapi.cloudapp.net/api" + } + ] + }, + "authorizationServers": { + "value": { + "secureList": [ + { + "authorizationEndpoint": "", + "clientId": "apimclientid", + "clientRegistrationEndpoint": "http://localhost", + "clientSecret": "", + "grantTypes": [ + "authorizationCode" + ], + "name": "AuthServer1", + "tokenEndpoint": "" + } + ] + } + }, + "backends": { + "value": [ + { + "name": "backend", + "tls": { + "validateCertificateChain": false, + "validateCertificateName": false + }, + "url": "http://echoapi.cloudapp.net/api" + } + ] + }, + "caches": { + "value": [ + { + "connectionString": "connectionstringtest", + "name": "westeurope", + "useFromLocation": "westeurope" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "identityProviders": { + "value": [ + { + "name": "aadProvider" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "namedValues": { + "value": [ + { + "displayName": "apimkey", + "name": "apimkey", + "secret": true + } + ] + }, + "policies": { + "value": [ + { + "format": "xml", + "value": " " + } + ] + }, + "portalsettings": { + "value": [ + { + "name": "signin", + "properties": { + "enabled": false + } + }, + { + "name": "signup", + "properties": { + "enabled": false, + "termsOfService": { + "consentRequired": false, + "enabled": false + } + } + } + ] + }, + "products": { + "value": [ + { + "apis": [ + { + "name": "echo-api" + } + ], + "approvalRequired": false, + "groups": [ + { + "name": "developers" + } + ], + "name": "Starter", + "subscriptionRequired": false + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subscriptions": { + "value": [ + { + "name": "testArmSubscriptionAllApis" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app-configuration/configuration-store/README.md b/modules/app-configuration/configuration-store/README.md index e057fc4288..83006ae973 100644 --- a/modules/app-configuration/configuration-store/README.md +++ b/modules/app-configuration/configuration-store/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -503,6 +504,182 @@ module configurationStore 'br:bicep/modules/app-configuration.configuration-stor

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module configurationStore 'br:bicep/modules/app-configuration.configuration-store:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-accwaf' + params: { + // Required parameters + name: 'accwaf001' + // Non-required parameters + createMode: 'Default' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: false + enableDefaultTelemetry: '' + enablePurgeProtection: false + keyValues: [ + { + contentType: 'contentType' + name: 'keyName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + value: 'valueName' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + softDeleteRetentionInDays: 1 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "accwaf001" + }, + // Non-required parameters + "createMode": { + "value": "Default" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "keyValues": { + "value": [ + { + "contentType": "contentType", + "name": "keyName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "value": "valueName" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "softDeleteRetentionInDays": { + "value": 1 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/container-app/README.md b/modules/app/container-app/README.md index 56ef31b6d4..c6ad339911 100644 --- a/modules/app/container-app/README.md +++ b/modules/app/container-app/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -279,6 +280,168 @@ module containerApp 'br:bicep/modules/app.container-app:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module containerApp 'br:bicep/modules/app.container-app:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mcappwaf' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'mcappwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "mcappwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/job/README.md b/modules/app/job/README.md index c5d025fad6..042067b52b 100644 --- a/modules/app/job/README.md +++ b/modules/app/job/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -329,6 +330,204 @@ module job 'br:bicep/modules/app.job:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module job 'br:bicep/modules/app.job:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ajwaf' + params: { + // Required parameters + containers: [ + { + image: 'mcr.microsoft.com/azuredocs/containerapps-helloworld:latest' + name: 'simple-hello-world-container' + probes: [ + { + httpGet: { + httpHeaders: [ + { + name: 'Custom-Header' + value: 'Awesome' + } + ] + path: '/health' + port: 8080 + } + initialDelaySeconds: 3 + periodSeconds: 3 + type: 'Liveness' + } + ] + resources: { + cpu: '' + memory: '0.5Gi' + } + } + ] + environmentId: '' + name: 'ajwaf001' + triggerType: 'Manual' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + manualTriggerConfig: { + parallelism: 1 + replicaCompletionCount: 1 + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'ContainerApp Reader' + } + ] + secrets: { + secureList: [ + { + name: 'customtest' + value: '' + } + ] + } + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + workloadProfileName: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "image": "mcr.microsoft.com/azuredocs/containerapps-helloworld:latest", + "name": "simple-hello-world-container", + "probes": [ + { + "httpGet": { + "httpHeaders": [ + { + "name": "Custom-Header", + "value": "Awesome" + } + ], + "path": "/health", + "port": 8080 + }, + "initialDelaySeconds": 3, + "periodSeconds": 3, + "type": "Liveness" + } + ], + "resources": { + "cpu": "", + "memory": "0.5Gi" + } + } + ] + }, + "environmentId": { + "value": "" + }, + "name": { + "value": "ajwaf001" + }, + "triggerType": { + "value": "Manual" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "manualTriggerConfig": { + "value": { + "parallelism": 1, + "replicaCompletionCount": 1 + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "ContainerApp Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "name": "customtest", + "value": "" + } + ] + } + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + }, + "workloadProfileName": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/app/managed-environment/README.md b/modules/app/managed-environment/README.md index 40ec6dfd7e..d222427925 100644 --- a/modules/app/managed-environment/README.md +++ b/modules/app/managed-environment/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -179,6 +180,106 @@ module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managedEnvironment 'br:bicep/modules/app.managed-environment:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-amewaf' + params: { + // Required parameters + enableDefaultTelemetry: '' + logAnalyticsWorkspaceResourceId: '' + name: 'amewaf001' + // Non-required parameters + dockerBridgeCidr: '172.16.0.1/28' + infrastructureSubnetId: '' + internal: true + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + platformReservedCidr: '172.17.17.0/24' + platformReservedDnsIP: '172.17.17.17' + skuName: 'Consumption' + tags: { + Env: 'test' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "logAnalyticsWorkspaceResourceId": { + "value": "" + }, + "name": { + "value": "amewaf001" + }, + // Non-required parameters + "dockerBridgeCidr": { + "value": "172.16.0.1/28" + }, + "infrastructureSubnetId": { + "value": "" + }, + "internal": { + "value": true + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "platformReservedCidr": { + "value": "172.17.17.0/24" + }, + "platformReservedDnsIP": { + "value": "172.17.17.17" + }, + "skuName": { + "value": "Consumption" + }, + "tags": { + "value": { + "Env": "test", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/authorization/lock/README.md b/modules/authorization/lock/README.md index 5d3f67c3e0..7e2543aee3 100644 --- a/modules/authorization/lock/README.md +++ b/modules/authorization/lock/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/authorization.lock:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -82,6 +83,62 @@ module lock 'br:bicep/modules/authorization.lock:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module lock 'br:bicep/modules/authorization.lock:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-alwaf' + params: { + // Required parameters + level: 'CanNotDelete' + // Non-required parameters + enableDefaultTelemetry: '' + resourceGroupName: '' + subscriptionId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "level": { + "value": "CanNotDelete" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "resourceGroupName": { + "value": "" + }, + "subscriptionId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/automation/automation-account/README.md b/modules/automation/automation-account/README.md index 49340e030c..42e498b90a 100644 --- a/modules/automation/automation-account/README.md +++ b/modules/automation/automation-account/README.md @@ -40,6 +40,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -614,6 +615,462 @@ module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0'

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module automationAccount 'br:bicep/modules/automation.automation-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-aawaf' + params: { + // Required parameters + name: 'aawaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + gallerySolutions: [ + { + name: 'Updates' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + jobSchedules: [ + { + runbookName: 'TestRunbook' + scheduleName: 'TestSchedule' + } + ] + linkedWorkspaceResourceId: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + modules: [ + { + name: 'PSWindowsUpdate' + uri: 'https://www.powershellgallery.com/api/v2/package' + version: 'latest' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'Webhook' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'DSCAndHybridWorker' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + runbooks: [ + { + description: 'Test runbook' + name: 'TestRunbook' + type: 'PowerShell' + uri: 'https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1' + version: '1.0.0.0' + } + ] + schedules: [ + { + advancedSchedule: {} + expiryTime: '9999-12-31T13:00' + frequency: 'Hour' + interval: 12 + name: 'TestSchedule' + startTime: '' + timeZone: 'Europe/Berlin' + } + ] + softwareUpdateConfigurations: [ + { + excludeUpdates: [ + '123456' + ] + frequency: 'Month' + includeUpdates: [ + '654321' + ] + interval: 1 + maintenanceWindow: 'PT4H' + monthlyOccurrences: [ + { + day: 'Friday' + occurrence: 3 + } + ] + name: 'Windows_ZeroDay' + operatingSystem: 'Windows' + rebootSetting: 'IfRequired' + scopeByTags: { + Update: [ + 'Automatic-Wave1' + ] + } + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Definition' + 'FeaturePack' + 'Security' + 'ServicePack' + 'Tools' + 'UpdateRollup' + 'Updates' + ] + } + { + excludeUpdates: [ + 'icacls' + ] + frequency: 'OneTime' + includeUpdates: [ + 'kernel' + ] + maintenanceWindow: 'PT4H' + name: 'Linux_ZeroDay' + operatingSystem: 'Linux' + rebootSetting: 'IfRequired' + startTime: '22:00' + updateClassifications: [ + 'Critical' + 'Other' + 'Security' + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + variables: [ + { + description: 'TestStringDescription' + name: 'TestString' + value: '\'TestString\'' + } + { + description: 'TestIntegerDescription' + name: 'TestInteger' + value: '500' + } + { + description: 'TestBooleanDescription' + name: 'TestBoolean' + value: 'false' + } + { + description: 'TestDateTimeDescription' + isEncrypted: false + name: 'TestDateTime' + value: '\'\\/Date(1637934042656)\\/\'' + } + { + description: 'TestEncryptedDescription' + name: 'TestEncryptedVariable' + value: '\'TestEncryptedValue\'' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "aawaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gallerySolutions": { + "value": [ + { + "name": "Updates", + "product": "OMSGallery", + "publisher": "Microsoft" + } + ] + }, + "jobSchedules": { + "value": [ + { + "runbookName": "TestRunbook", + "scheduleName": "TestSchedule" + } + ] + }, + "linkedWorkspaceResourceId": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "modules": { + "value": [ + { + "name": "PSWindowsUpdate", + "uri": "https://www.powershellgallery.com/api/v2/package", + "version": "latest" + } + ] + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "Webhook", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "DSCAndHybridWorker", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "runbooks": { + "value": [ + { + "description": "Test runbook", + "name": "TestRunbook", + "type": "PowerShell", + "uri": "https://raw.githubusercontent.com/Azure/azure-quickstart-templates/master/quickstarts/microsoft.automation/101-automation/scripts/AzureAutomationTutorial.ps1", + "version": "1.0.0.0" + } + ] + }, + "schedules": { + "value": [ + { + "advancedSchedule": {}, + "expiryTime": "9999-12-31T13:00", + "frequency": "Hour", + "interval": 12, + "name": "TestSchedule", + "startTime": "", + "timeZone": "Europe/Berlin" + } + ] + }, + "softwareUpdateConfigurations": { + "value": [ + { + "excludeUpdates": [ + "123456" + ], + "frequency": "Month", + "includeUpdates": [ + "654321" + ], + "interval": 1, + "maintenanceWindow": "PT4H", + "monthlyOccurrences": [ + { + "day": "Friday", + "occurrence": 3 + } + ], + "name": "Windows_ZeroDay", + "operatingSystem": "Windows", + "rebootSetting": "IfRequired", + "scopeByTags": { + "Update": [ + "Automatic-Wave1" + ] + }, + "startTime": "22:00", + "updateClassifications": [ + "Critical", + "Definition", + "FeaturePack", + "Security", + "ServicePack", + "Tools", + "UpdateRollup", + "Updates" + ] + }, + { + "excludeUpdates": [ + "icacls" + ], + "frequency": "OneTime", + "includeUpdates": [ + "kernel" + ], + "maintenanceWindow": "PT4H", + "name": "Linux_ZeroDay", + "operatingSystem": "Linux", + "rebootSetting": "IfRequired", + "startTime": "22:00", + "updateClassifications": [ + "Critical", + "Other", + "Security" + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "variables": { + "value": [ + { + "description": "TestStringDescription", + "name": "TestString", + "value": "\"TestString\"" + }, + { + "description": "TestIntegerDescription", + "name": "TestInteger", + "value": "500" + }, + { + "description": "TestBooleanDescription", + "name": "TestBoolean", + "value": "false" + }, + { + "description": "TestDateTimeDescription", + "isEncrypted": false, + "name": "TestDateTime", + "value": "\"\\/Date(1637934042656)\\/\"" + }, + { + "description": "TestEncryptedDescription", + "name": "TestEncryptedVariable", + "value": "\"TestEncryptedValue\"" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/batch/batch-account/README.md b/modules/batch/batch-account/README.md index 3a1c9b5e7f..2d71887df9 100644 --- a/modules/batch/batch-account/README.md +++ b/modules/batch/batch-account/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -392,6 +393,188 @@ module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module batchAccount 'br:bicep/modules/batch.batch-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-bbawaf' + params: { + // Required parameters + name: 'bbawaf001' + storageAccountId: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + poolAllocationMode: 'BatchService' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + storageAccessIdentity: '' + storageAuthenticationMode: 'BatchAccountManagedIdentity' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "bbawaf001" + }, + "storageAccountId": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "poolAllocationMode": { + "value": "BatchService" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "storageAccessIdentity": { + "value": "" + }, + "storageAuthenticationMode": { + "value": "BatchAccountManagedIdentity" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cache/redis-enterprise/README.md b/modules/cache/redis-enterprise/README.md index 50eaf4f856..0c37755f50 100644 --- a/modules/cache/redis-enterprise/README.md +++ b/modules/cache/redis-enterprise/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Geo](#example-2-geo) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -397,6 +398,200 @@ module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module redisEnterprise 'br:bicep/modules/cache.redis-enterprise:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crewaf' + params: { + // Required parameters + name: 'crewaf001' + // Non-required parameters + capacity: 2 + databases: [ + { + clusteringPolicy: 'EnterpriseCluster' + evictionPolicy: 'AllKeysLFU' + modules: [ + { + name: 'RedisBloom' + } + { + args: 'RETENTION_POLICY 20' + name: 'RedisTimeSeries' + } + ] + persistenceAofEnabled: true + persistenceAofFrequency: '1s' + persistenceRdbEnabled: false + port: 10000 + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + minimumTlsVersion: '1.2' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache Enterprise' + } + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crewaf001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "databases": { + "value": [ + { + "clusteringPolicy": "EnterpriseCluster", + "evictionPolicy": "AllKeysLFU", + "modules": [ + { + "name": "RedisBloom" + }, + { + "args": "RETENTION_POLICY 20", + "name": "RedisTimeSeries" + } + ], + "persistenceAofEnabled": true, + "persistenceAofFrequency": "1s", + "persistenceRdbEnabled": false, + "port": 10000 + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "resourceType": "Redis Cache Enterprise" + } + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cache/redis/README.md b/modules/cache/redis/README.md index 6c833b7a8a..500c93fa81 100644 --- a/modules/cache/redis/README.md +++ b/modules/cache/redis/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -263,6 +264,188 @@ module redis 'br:bicep/modules/cache.redis:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module redis 'br:bicep/modules/cache.redis:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crwaf' + params: { + // Required parameters + name: 'crwaf001' + // Non-required parameters + capacity: 2 + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableNonSslPort: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + minimumTlsVersion: '1.2' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + redisVersion: '6' + shardCount: 1 + skuName: 'Premium' + tags: { + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Redis Cache' + } + zoneRedundant: true + zones: [ + 1 + 2 + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crwaf001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableNonSslPort": { + "value": true + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "redisVersion": { + "value": "6" + }, + "shardCount": { + "value": 1 + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "resourceType": "Redis Cache" + } + }, + "zoneRedundant": { + "value": true + }, + "zones": { + "value": [ + 1, + 2 + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cdn/profile/README.md b/modules/cdn/profile/README.md index 41fd0159bf..47cbe6ed82 100644 --- a/modules/cdn/profile/README.md +++ b/modules/cdn/profile/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Afd](#example-1-afd) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Afd_ @@ -404,6 +405,154 @@ module profile 'br:bicep/modules/cdn.profile:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module profile 'br:bicep/modules/cdn.profile:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdnpwaf' + params: { + // Required parameters + name: 'dep-test-cdnpwaf' + sku: 'Standard_Verizon' + // Non-required parameters + enableDefaultTelemetry: '' + endpointProperties: { + contentTypesToCompress: [ + 'application/javascript' + 'application/json' + 'application/x-javascript' + 'application/xml' + 'text/css' + 'text/html' + 'text/javascript' + 'text/plain' + ] + geoFilters: [] + isCompressionEnabled: true + isHttpAllowed: true + isHttpsAllowed: true + originGroups: [] + originHostHeader: '' + origins: [ + { + name: 'dep-cdn-endpoint01' + properties: { + enabled: true + hostName: '' + httpPort: 80 + httpsPort: 443 + } + } + ] + queryStringCachingBehavior: 'IgnoreQueryString' + } + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + originResponseTimeoutSeconds: 60 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dep-test-cdnpwaf" + }, + "sku": { + "value": "Standard_Verizon" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "endpointProperties": { + "value": { + "contentTypesToCompress": [ + "application/javascript", + "application/json", + "application/x-javascript", + "application/xml", + "text/css", + "text/html", + "text/javascript", + "text/plain" + ], + "geoFilters": [], + "isCompressionEnabled": true, + "isHttpAllowed": true, + "isHttpsAllowed": true, + "originGroups": [], + "originHostHeader": "", + "origins": [ + { + "name": "dep-cdn-endpoint01", + "properties": { + "enabled": true, + "hostName": "", + "httpPort": 80, + "httpsPort": 443 + } + } + ], + "queryStringCachingBehavior": "IgnoreQueryString" + } + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "originResponseTimeoutSeconds": { + "value": 60 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/cognitive-services/account/README.md b/modules/cognitive-services/account/README.md index 26626e96c2..4244365e44 100644 --- a/modules/cognitive-services/account/README.md +++ b/modules/cognitive-services/account/README.md @@ -36,6 +36,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Speech](#example-4-speech) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -487,6 +488,206 @@ module account 'br:bicep/modules/cognitive-services.account:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/cognitive-services.account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-csawaf' + params: { + // Required parameters + kind: 'Face' + name: 'csawaf001' + // Non-required parameters + customSubDomainName: 'xdomain' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + networkAcls: { + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'S0' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "kind": { + "value": "Face" + }, + "name": { + "value": "csawaf001" + }, + // Non-required parameters + "customSubDomainName": { + "value": "xdomain" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "networkAcls": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "S0" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/availability-set/README.md b/modules/compute/availability-set/README.md index e2d646e9bf..b78be7385e 100644 --- a/modules/compute/availability-set/README.md +++ b/modules/compute/availability-set/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -167,6 +168,96 @@ module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module availabilitySet 'br:bicep/modules/compute.availability-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-caswaf' + params: { + // Required parameters + name: 'caswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + proximityPlacementGroupResourceId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "caswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "proximityPlacementGroupResourceId": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/disk-encryption-set/README.md b/modules/compute/disk-encryption-set/README.md index c3d9e9d920..b9590d9b21 100644 --- a/modules/compute/disk-encryption-set/README.md +++ b/modules/compute/disk-encryption-set/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Accesspolicies](#example-1-accesspolicies) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Accesspolicies_ @@ -232,6 +233,112 @@ module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' =

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module diskEncryptionSet 'br:bicep/modules/compute.disk-encryption-set:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdeswaf' + params: { + // Required parameters + keyName: '' + keyVaultResourceId: '' + name: 'cdeswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "keyName": { + "value": "" + }, + "keyVaultResourceId": { + "value": "" + }, + "name": { + "value": "cdeswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/disk/README.md b/modules/compute/disk/README.md index 53656e6a71..a2b245fd26 100644 --- a/modules/compute/disk/README.md +++ b/modules/compute/disk/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Image](#example-2-image) - [Import](#example-3-import) - [Using large parameter set](#example-4-using-large-parameter-set) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -375,6 +376,120 @@ module disk 'br:bicep/modules/compute.disk:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module disk 'br:bicep/modules/compute.disk:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cdwaf' + params: { + // Required parameters + name: 'cdwaf001' + sku: 'UltraSSD_LRS' + // Non-required parameters + diskIOPSReadWrite: 500 + diskMBpsReadWrite: 60 + diskSizeGB: 128 + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + logicalSectorSize: 512 + osType: 'Windows' + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cdwaf001" + }, + "sku": { + "value": "UltraSSD_LRS" + }, + // Non-required parameters + "diskIOPSReadWrite": { + "value": 500 + }, + "diskMBpsReadWrite": { + "value": 60 + }, + "diskSizeGB": { + "value": 128 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "logicalSectorSize": { + "value": 512 + }, + "osType": { + "value": "Windows" + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/gallery/README.md b/modules/compute/gallery/README.md index 4f370dfd3b..5d352f0fb3 100644 --- a/modules/compute/gallery/README.md +++ b/modules/compute/gallery/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -403,6 +404,330 @@ module gallery 'br:bicep/modules/compute.gallery:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module gallery 'br:bicep/modules/compute.gallery:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cgwaf' + params: { + // Required parameters + name: 'cgwaf001' + // Non-required parameters + applications: [ + { + name: 'cgwaf-appd-001' + } + { + name: 'cgwaf-appd-002' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + supportedOSType: 'Windows' + } + ] + enableDefaultTelemetry: '' + images: [ + { + name: 'az-imgd-ws-001' + } + { + hyperVGeneration: 'V1' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-002' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition' + } + { + hyperVGeneration: 'V2' + isHibernateSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-003' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition-hibernate' + } + { + hyperVGeneration: 'V2' + isAcceleratedNetworkSupported: 'true' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 8 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-ws-004' + offer: 'WindowsServer' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsServer' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: '2022-datacenter-azure-edition-accnet' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 16 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 2 + name: 'az-imgd-wdtl-002' + offer: 'WindowsDesktop' + osState: 'Generalized' + osType: 'Windows' + publisher: 'MicrosoftWindowsDesktop' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityType: 'TrustedLaunch' + sku: 'Win11-21H2' + } + { + hyperVGeneration: 'V2' + maxRecommendedMemory: 32 + maxRecommendedvCPUs: 4 + minRecommendedMemory: 4 + minRecommendedvCPUs: 1 + name: 'az-imgd-us-001' + offer: '0001-com-ubuntu-server-focal' + osState: 'Generalized' + osType: 'Linux' + publisher: 'canonical' + sku: '20_04-lts-gen2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cgwaf001" + }, + // Non-required parameters + "applications": { + "value": [ + { + "name": "cgwaf-appd-001" + }, + { + "name": "cgwaf-appd-002", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "supportedOSType": "Windows" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "images": { + "value": [ + { + "name": "az-imgd-ws-001" + }, + { + "hyperVGeneration": "V1", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-002", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition" + }, + { + "hyperVGeneration": "V2", + "isHibernateSupported": "true", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-003", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition-hibernate" + }, + { + "hyperVGeneration": "V2", + "isAcceleratedNetworkSupported": "true", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 8, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-ws-004", + "offer": "WindowsServer", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsServer", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "sku": "2022-datacenter-azure-edition-accnet" + }, + { + "hyperVGeneration": "V2", + "maxRecommendedMemory": 16, + "maxRecommendedvCPUs": 4, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 2, + "name": "az-imgd-wdtl-002", + "offer": "WindowsDesktop", + "osState": "Generalized", + "osType": "Windows", + "publisher": "MicrosoftWindowsDesktop", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "securityType": "TrustedLaunch", + "sku": "Win11-21H2" + }, + { + "hyperVGeneration": "V2", + "maxRecommendedMemory": 32, + "maxRecommendedvCPUs": 4, + "minRecommendedMemory": 4, + "minRecommendedvCPUs": 1, + "name": "az-imgd-us-001", + "offer": "0001-com-ubuntu-server-focal", + "osState": "Generalized", + "osType": "Linux", + "publisher": "canonical", + "sku": "20_04-lts-gen2" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/image/README.md b/modules/compute/image/README.md index 6c22d0ff2d..f642c6f3c1 100644 --- a/modules/compute/image/README.md +++ b/modules/compute/image/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/compute.image:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -139,6 +140,118 @@ module image 'br:bicep/modules/compute.image:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module image 'br:bicep/modules/compute.image:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ciwaf' + params: { + // Required parameters + name: 'ciwaf001' + osAccountType: 'Premium_LRS' + osDiskBlobUri: '' + osDiskCaching: 'ReadWrite' + osType: 'Windows' + // Non-required parameters + diskEncryptionSetResourceId: '' + diskSizeGB: 128 + enableDefaultTelemetry: '' + hyperVGeneration: 'V1' + osState: 'Generalized' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'You\'re it' + tagB: 'Player' + } + zoneResilient: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ciwaf001" + }, + "osAccountType": { + "value": "Premium_LRS" + }, + "osDiskBlobUri": { + "value": "" + }, + "osDiskCaching": { + "value": "ReadWrite" + }, + "osType": { + "value": "Windows" + }, + // Non-required parameters + "diskEncryptionSetResourceId": { + "value": "" + }, + "diskSizeGB": { + "value": 128 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hyperVGeneration": { + "value": "V1" + }, + "osState": { + "value": "Generalized" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "tagA": "You\"re it", + "tagB": "Player" + } + }, + "zoneResilient": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/proximity-placement-group/README.md b/modules/compute/proximity-placement-group/README.md index 821a6a502e..a5861c05f9 100644 --- a/modules/compute/proximity-placement-group/README.md +++ b/modules/compute/proximity-placement-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -203,6 +204,132 @@ module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-gro

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module proximityPlacementGroup 'br:bicep/modules/compute.proximity-placement-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cppgwaf' + params: { + // Required parameters + name: 'cppgwaf001' + // Non-required parameters + colocationStatus: { + code: 'ColocationStatus/Aligned' + displayStatus: 'Aligned' + level: 'Info' + message: 'I\'m a default error message' + } + enableDefaultTelemetry: '' + intent: { + vmSizes: [ + 'Standard_B1ms' + 'Standard_B4ms' + ] + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + TagA: 'Would you kindly...' + TagB: 'Tags for sale' + } + type: 'Standard' + zones: [ + '1' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "cppgwaf001" + }, + // Non-required parameters + "colocationStatus": { + "value": { + "code": "ColocationStatus/Aligned", + "displayStatus": "Aligned", + "level": "Info", + "message": "I\"m a default error message" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "intent": { + "value": { + "vmSizes": [ + "Standard_B1ms", + "Standard_B4ms" + ] + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "TagA": "Would you kindly...", + "TagB": "Tags for sale" + } + }, + "type": { + "value": "Standard" + }, + "zones": { + "value": [ + "1" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/compute/ssh-public-key/README.md b/modules/compute/ssh-public-key/README.md index fcc48b1abe..096bdf0a7f 100644 --- a/modules/compute/ssh-public-key/README.md +++ b/modules/compute/ssh-public-key/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -133,6 +134,58 @@ module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module sshPublicKey 'br:bicep/modules/compute.ssh-public-key:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cspkwaf' + params: { + // Required parameters + name: 'sshkey-cspkwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + publicKey: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sshkey-cspkwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "publicKey": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/consumption/budget/README.md b/modules/consumption/budget/README.md index 44cad18b76..748abdf07f 100644 --- a/modules/consumption/budget/README.md +++ b/modules/consumption/budget/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,82 @@ module budget 'br:bicep/modules/consumption.budget:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module budget 'br:bicep/modules/consumption.budget:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-cbwaf' + params: { + // Required parameters + amount: 500 + name: 'cbwaf001' + // Non-required parameters + contactEmails: [ + 'dummy@contoso.com' + ] + enableDefaultTelemetry: '' + thresholds: [ + 50 + 75 + 90 + 100 + 110 + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "amount": { + "value": 500 + }, + "name": { + "value": "cbwaf001" + }, + // Non-required parameters + "contactEmails": { + "value": [ + "dummy@contoso.com" + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "thresholds": { + "value": [ + 50, + 75, + 90, + 100, + 110 + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/container-instance/container-group/README.md b/modules/container-instance/container-group/README.md index 7918b1c8a2..447234e1d2 100644 --- a/modules/container-instance/container-group/README.md +++ b/modules/container-instance/container-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Private](#example-4-private) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -783,6 +784,206 @@ module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module containerGroup 'br:bicep/modules/container-instance.container-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-cicgwaf' + params: { + // Required parameters + containers: [ + { + name: 'az-aci-x-001' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '80' + protocol: 'Tcp' + } + { + port: '443' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + { + name: 'az-aci-x-002' + properties: { + command: [] + environmentVariables: [] + image: 'mcr.microsoft.com/azuredocs/aci-helloworld' + ports: [ + { + port: '8080' + protocol: 'Tcp' + } + ] + resources: { + requests: { + cpu: 2 + memoryInGB: 2 + } + } + } + } + ] + name: 'cicgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddressPorts: [ + { + port: 80 + protocol: 'Tcp' + } + { + port: 443 + protocol: 'Tcp' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "containers": { + "value": [ + { + "name": "az-aci-x-001", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "80", + "protocol": "Tcp" + }, + { + "port": "443", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + }, + { + "name": "az-aci-x-002", + "properties": { + "command": [], + "environmentVariables": [], + "image": "mcr.microsoft.com/azuredocs/aci-helloworld", + "ports": [ + { + "port": "8080", + "protocol": "Tcp" + } + ], + "resources": { + "requests": { + "cpu": 2, + "memoryInGB": 2 + } + } + } + } + ] + }, + "name": { + "value": "cicgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddressPorts": { + "value": [ + { + "port": 80, + "protocol": "Tcp" + }, + { + "port": 443, + "protocol": "Tcp" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/container-registry/registry/README.md b/modules/container-registry/registry/README.md index 940cac8fae..ecb4f44dc9 100644 --- a/modules/container-registry/registry/README.md +++ b/modules/container-registry/registry/README.md @@ -36,6 +36,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -519,6 +520,262 @@ module registry 'br:bicep/modules/container-registry.registry:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module registry 'br:bicep/modules/container-registry.registry:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-crrwaf' + params: { + // Required parameters + name: 'crrwaf001' + // Non-required parameters + acrAdminUserEnabled: false + acrSku: 'Premium' + azureADAuthenticationAsArmPolicyStatus: 'enabled' + cacheRules: [ + { + name: 'customRule' + sourceRepository: 'docker.io/library/hello-world' + targetRepository: 'cached-docker-hub/hello-world' + } + { + sourceRepository: 'docker.io/library/hello-world' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + exportPolicyStatus: 'enabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + networkRuleSetIpRules: [ + { + action: 'Allow' + value: '40.74.28.0/23' + } + ] + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'registry' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + quarantinePolicyStatus: 'enabled' + replications: [ + { + location: '' + name: '' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + softDeletePolicyDays: 7 + softDeletePolicyStatus: 'disabled' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + trustPolicyStatus: 'enabled' + webhooks: [ + { + name: 'acrx001webhook' + serviceUri: 'https://www.contoso.com/webhook' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "crrwaf001" + }, + // Non-required parameters + "acrAdminUserEnabled": { + "value": false + }, + "acrSku": { + "value": "Premium" + }, + "azureADAuthenticationAsArmPolicyStatus": { + "value": "enabled" + }, + "cacheRules": { + "value": [ + { + "name": "customRule", + "sourceRepository": "docker.io/library/hello-world", + "targetRepository": "cached-docker-hub/hello-world" + }, + { + "sourceRepository": "docker.io/library/hello-world" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "exportPolicyStatus": { + "value": "enabled" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "networkRuleSetIpRules": { + "value": [ + { + "action": "Allow", + "value": "40.74.28.0/23" + } + ] + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "registry", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "quarantinePolicyStatus": { + "value": "enabled" + }, + "replications": { + "value": [ + { + "location": "", + "name": "" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "softDeletePolicyDays": { + "value": 7 + }, + "softDeletePolicyStatus": { + "value": "disabled" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "trustPolicyStatus": { + "value": "enabled" + }, + "webhooks": { + "value": [ + { + "name": "acrx001webhook", + "serviceUri": "https://www.contoso.com/webhook" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/data-factory/factory/README.md b/modules/data-factory/factory/README.md index 4df25ff5d9..371644a9d8 100644 --- a/modules/data-factory/factory/README.md +++ b/modules/data-factory/factory/README.md @@ -35,6 +35,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -330,6 +331,252 @@ module factory 'br:bicep/modules/data-factory.factory:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module factory 'br:bicep/modules/data-factory.factory:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dffwaf' + params: { + // Required parameters + name: 'dffwaf001' + // Non-required parameters + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + userAssignedIdentityResourceId: '' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + gitConfigureLater: true + globalParameters: { + testParameter1: { + type: 'String' + value: 'testValue1' + } + } + integrationRuntimes: [ + { + managedVirtualNetworkName: 'default' + name: 'AutoResolveIntegrationRuntime' + type: 'Managed' + typeProperties: { + computeProperties: { + location: 'AutoResolve' + } + } + } + { + name: 'TestRuntime' + type: 'SelfHosted' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + managedPrivateEndpoints: [ + { + fqdns: [ + '' + ] + groupId: 'blob' + name: '' + privateLinkResourceId: '' + } + ] + managedVirtualNetworkName: 'default' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + application: 'CARML' + 'hidden-title': 'This is visible in the resource name' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dffwaf001" + }, + // Non-required parameters + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "userAssignedIdentityResourceId": "" + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gitConfigureLater": { + "value": true + }, + "globalParameters": { + "value": { + "testParameter1": { + "type": "String", + "value": "testValue1" + } + } + }, + "integrationRuntimes": { + "value": [ + { + "managedVirtualNetworkName": "default", + "name": "AutoResolveIntegrationRuntime", + "type": "Managed", + "typeProperties": { + "computeProperties": { + "location": "AutoResolve" + } + } + }, + { + "name": "TestRuntime", + "type": "SelfHosted" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managedPrivateEndpoints": { + "value": [ + { + "fqdns": [ + "" + ], + "groupId": "blob", + "name": "", + "privateLinkResourceId": "" + } + ] + }, + "managedVirtualNetworkName": { + "value": "default" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "application": "CARML", + "hidden-title": "This is visible in the resource name" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/data-protection/backup-vault/README.md b/modules/data-protection/backup-vault/README.md index 200b51d6bc..a7771b8b43 100644 --- a/modules/data-protection/backup-vault/README.md +++ b/modules/data-protection/backup-vault/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -303,6 +304,230 @@ module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module backupVault 'br:bicep/modules/data-protection.backup-vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dpbvwaf' + params: { + // Required parameters + name: 'dpbvwaf001' + // Non-required parameters + azureMonitorAlertSettingsAlertsForAllJobFailures: 'Disabled' + backupPolicies: [ + { + name: 'DefaultPolicy' + properties: { + datasourceTypes: [ + 'Microsoft.Compute/disks' + ] + objectType: 'BackupPolicy' + policyRules: [ + { + backupParameters: { + backupType: 'Incremental' + objectType: 'AzureBackupParams' + } + dataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + name: 'BackupDaily' + objectType: 'AzureBackupRule' + trigger: { + objectType: 'ScheduleBasedTriggerContext' + schedule: { + repeatingTimeIntervals: [ + 'R/2022-05-31T23:30:00+01:00/P1D' + ] + timeZone: 'W. Europe Standard Time' + } + taggingCriteria: [ + { + isDefault: true + taggingPriority: 99 + tagInfo: { + id: 'Default_' + tagName: 'Default' + } + } + ] + } + } + { + isDefault: true + lifecycles: [ + { + deleteAfter: { + duration: 'P7D' + objectType: 'AbsoluteDeleteOption' + } + sourceDataStore: { + dataStoreType: 'OperationalStore' + objectType: 'DataStoreInfoBase' + } + targetDataStoreCopySettings: [] + } + ] + name: 'Default' + objectType: 'AzureRetentionRule' + } + ] + } + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dpbvwaf001" + }, + // Non-required parameters + "azureMonitorAlertSettingsAlertsForAllJobFailures": { + "value": "Disabled" + }, + "backupPolicies": { + "value": [ + { + "name": "DefaultPolicy", + "properties": { + "datasourceTypes": [ + "Microsoft.Compute/disks" + ], + "objectType": "BackupPolicy", + "policyRules": [ + { + "backupParameters": { + "backupType": "Incremental", + "objectType": "AzureBackupParams" + }, + "dataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + }, + "name": "BackupDaily", + "objectType": "AzureBackupRule", + "trigger": { + "objectType": "ScheduleBasedTriggerContext", + "schedule": { + "repeatingTimeIntervals": [ + "R/2022-05-31T23:30:00+01:00/P1D" + ], + "timeZone": "W. Europe Standard Time" + }, + "taggingCriteria": [ + { + "isDefault": true, + "taggingPriority": 99, + "tagInfo": { + "id": "Default_", + "tagName": "Default" + } + } + ] + } + }, + { + "isDefault": true, + "lifecycles": [ + { + "deleteAfter": { + "duration": "P7D", + "objectType": "AbsoluteDeleteOption" + }, + "sourceDataStore": { + "dataStoreType": "OperationalStore", + "objectType": "DataStoreInfoBase" + }, + "targetDataStoreCopySettings": [] + } + ], + "name": "Default", + "objectType": "AzureRetentionRule" + } + ] + } + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/databricks/access-connector/README.md b/modules/databricks/access-connector/README.md index ad53643158..cc8cb19003 100644 --- a/modules/databricks/access-connector/README.md +++ b/modules/databricks/access-connector/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -181,6 +182,110 @@ module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module accessConnector 'br:bicep/modules/databricks.access-connector:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dacwaf' + params: { + // Required parameters + name: 'dacwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dacwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/databricks/workspace/README.md b/modules/databricks/workspace/README.md index 512cd9bc26..fcb2e26a86 100644 --- a/modules/databricks/workspace/README.md +++ b/modules/databricks/workspace/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -327,6 +328,252 @@ module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/databricks.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dwwaf' + params: { + // Required parameters + name: 'dwwaf001' + // Non-required parameters + amlWorkspaceResourceId: '' + customerManagedKey: { + keyName: '' + keyVaultResourceId: '' + } + customerManagedKeyManagedDisk: { + keyName: '' + keyVaultResourceId: '' + rotationToLatestKeyVersionEnabled: true + } + customPrivateSubnetName: '' + customPublicSubnetName: '' + customVirtualNetworkResourceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'jobs' + } + { + category: 'notebook' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disablePublicIp: true + enableDefaultTelemetry: '' + loadBalancerBackendPoolName: '' + loadBalancerResourceId: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedResourceGroupResourceId: '' + natGatewayName: 'nat-gateway' + prepareEncryption: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + publicIpName: 'nat-gw-public-ip' + publicNetworkAccess: 'Disabled' + requiredNsgRules: 'NoAzureDatabricksRules' + requireInfrastructureEncryption: true + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'premium' + storageAccountName: 'sadwwaf001' + storageAccountSkuName: 'Standard_ZRS' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vnetAddressPrefix: '10.100' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dwwaf001" + }, + // Non-required parameters + "amlWorkspaceResourceId": { + "value": "" + }, + "customerManagedKey": { + "value": { + "keyName": "", + "keyVaultResourceId": "" + } + }, + "customerManagedKeyManagedDisk": { + "value": { + "keyName": "", + "keyVaultResourceId": "", + "rotationToLatestKeyVersionEnabled": true + } + }, + "customPrivateSubnetName": { + "value": "" + }, + "customPublicSubnetName": { + "value": "" + }, + "customVirtualNetworkResourceId": { + "value": "" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "jobs" + }, + { + "category": "notebook" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disablePublicIp": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "loadBalancerBackendPoolName": { + "value": "" + }, + "loadBalancerResourceId": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedResourceGroupResourceId": { + "value": "" + }, + "natGatewayName": { + "value": "nat-gateway" + }, + "prepareEncryption": { + "value": true + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicIpName": { + "value": "nat-gw-public-ip" + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "requiredNsgRules": { + "value": "NoAzureDatabricksRules" + }, + "requireInfrastructureEncryption": { + "value": true + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "premium" + }, + "storageAccountName": { + "value": "sadwwaf001" + }, + "storageAccountSkuName": { + "value": "Standard_ZRS" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vnetAddressPrefix": { + "value": "10.100" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/application-group/README.md b/modules/desktop-virtualization/application-group/README.md index 83aa677d85..22947a3ef1 100644 --- a/modules/desktop-virtualization/application-group/README.md +++ b/modules/desktop-virtualization/application-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -251,6 +252,170 @@ module applicationGroup 'br:bicep/modules/desktop-virtualization.application-gro

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGroup 'br:bicep/modules/desktop-virtualization.application-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvagwaf' + params: { + // Required parameters + applicationGroupType: 'RemoteApp' + hostpoolName: '' + name: 'dvagwaf001' + // Non-required parameters + applications: [ + { + commandLineArguments: '' + commandLineSetting: 'DoNotAllow' + description: 'Notepad by ARM template' + filePath: 'C:\\Windows\\System32\\notepad.exe' + friendlyName: 'Notepad' + iconIndex: 0 + iconPath: 'C:\\Windows\\System32\\notepad.exe' + name: 'notepad' + showInPortal: true + } + { + filePath: 'C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe' + friendlyName: 'Wordpad' + name: 'wordpad' + } + ] + description: 'This is my first Remote Applications bundle' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'Remote Applications 1' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "applicationGroupType": { + "value": "RemoteApp" + }, + "hostpoolName": { + "value": "" + }, + "name": { + "value": "dvagwaf001" + }, + // Non-required parameters + "applications": { + "value": [ + { + "commandLineArguments": "", + "commandLineSetting": "DoNotAllow", + "description": "Notepad by ARM template", + "filePath": "C:\\Windows\\System32\\notepad.exe", + "friendlyName": "Notepad", + "iconIndex": 0, + "iconPath": "C:\\Windows\\System32\\notepad.exe", + "name": "notepad", + "showInPortal": true + }, + { + "filePath": "C:\\Program Files\\Windows NT\\Accessories\\wordpad.exe", + "friendlyName": "Wordpad", + "name": "wordpad" + } + ] + }, + "description": { + "value": "This is my first Remote Applications bundle" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "Remote Applications 1" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/host-pool/README.md b/modules/desktop-virtualization/host-pool/README.md index cc5703c6ab..37af321393 100644 --- a/modules/desktop-virtualization/host-pool/README.md +++ b/modules/desktop-virtualization/host-pool/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -284,6 +285,212 @@ module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module hostPool 'br:bicep/modules/desktop-virtualization.host-pool:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvhpwaf' + params: { + // Required parameters + name: 'dvhpwaf001' + // Non-required parameters + agentUpdate: { + maintenanceWindows: [ + { + dayOfWeek: 'Friday' + hour: 7 + } + { + dayOfWeek: 'Saturday' + hour: 8 + } + ] + maintenanceWindowTimeZone: 'Alaskan Standard Time' + type: 'Scheduled' + useSessionHostLocalTime: false + } + customRdpProperty: 'audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;' + description: 'My first AVD Host Pool' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'AVDv2' + loadBalancerType: 'BreadthFirst' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxSessionLimit: 99999 + personalDesktopAssignmentType: 'Automatic' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + type: 'Pooled' + vmTemplate: { + customImageId: '' + domain: 'domainname.onmicrosoft.com' + galleryImageOffer: 'office-365' + galleryImagePublisher: 'microsoftwindowsdesktop' + galleryImageSKU: '20h1-evd-o365pp' + imageType: 'Gallery' + imageUri: '' + namePrefix: 'avdv2' + osDiskType: 'StandardSSD_LRS' + useManagedDisks: true + vmSize: { + cores: 2 + id: 'Standard_D2s_v3' + ram: 8 + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvhpwaf001" + }, + // Non-required parameters + "agentUpdate": { + "value": { + "maintenanceWindows": [ + { + "dayOfWeek": "Friday", + "hour": 7 + }, + { + "dayOfWeek": "Saturday", + "hour": 8 + } + ], + "maintenanceWindowTimeZone": "Alaskan Standard Time", + "type": "Scheduled", + "useSessionHostLocalTime": false + } + }, + "customRdpProperty": { + "value": "audiocapturemode:i:1;audiomode:i:0;drivestoredirect:s:;redirectclipboard:i:1;redirectcomports:i:1;redirectprinters:i:1;redirectsmartcards:i:1;screen mode id:i:2;" + }, + "description": { + "value": "My first AVD Host Pool" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "AVDv2" + }, + "loadBalancerType": { + "value": "BreadthFirst" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maxSessionLimit": { + "value": 99999 + }, + "personalDesktopAssignmentType": { + "value": "Automatic" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "type": { + "value": "Pooled" + }, + "vmTemplate": { + "value": { + "customImageId": "", + "domain": "domainname.onmicrosoft.com", + "galleryImageOffer": "office-365", + "galleryImagePublisher": "microsoftwindowsdesktop", + "galleryImageSKU": "20h1-evd-o365pp", + "imageType": "Gallery", + "imageUri": "", + "namePrefix": "avdv2", + "osDiskType": "StandardSSD_LRS", + "useManagedDisks": true, + "vmSize": { + "cores": 2, + "id": "Standard_D2s_v3", + "ram": 8 + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/scaling-plan/README.md b/modules/desktop-virtualization/scaling-plan/README.md index 0983c6dbbc..96f2d667e4 100644 --- a/modules/desktop-virtualization/scaling-plan/README.md +++ b/modules/desktop-virtualization/scaling-plan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -267,6 +268,196 @@ module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module scalingPlan 'br:bicep/modules/desktop-virtualization.scaling-plan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvspwaf' + params: { + // Required parameters + name: 'dvspwaf001' + // Non-required parameters + description: 'My Scaling Plan Description' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'My Scaling Plan' + hostPoolType: 'Pooled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + schedules: [ + { + daysOfWeek: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + name: 'weekdays_schedule' + offPeakLoadBalancingAlgorithm: 'DepthFirst' + offPeakStartTime: { + hour: 20 + minute: 0 + } + peakLoadBalancingAlgorithm: 'DepthFirst' + peakStartTime: { + hour: 9 + minute: 0 + } + rampDownCapacityThresholdPct: 90 + rampDownForceLogoffUsers: true + rampDownLoadBalancingAlgorithm: 'DepthFirst' + rampDownMinimumHostsPct: 10 + rampDownNotificationMessage: 'You will be logged off in 30 min. Make sure to save your work.' + rampDownStartTime: { + hour: 18 + minute: 0 + } + rampDownStopHostsWhen: 'ZeroSessions' + rampDownWaitTimeMinutes: 30 + rampUpCapacityThresholdPct: 60 + rampUpLoadBalancingAlgorithm: 'DepthFirst' + rampUpMinimumHostsPct: 20 + rampUpStartTime: { + hour: 7 + minute: 0 + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvspwaf001" + }, + // Non-required parameters + "description": { + "value": "My Scaling Plan Description" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "My Scaling Plan" + }, + "hostPoolType": { + "value": "Pooled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "schedules": { + "value": [ + { + "daysOfWeek": [ + "Friday", + "Monday", + "Thursday", + "Tuesday", + "Wednesday" + ], + "name": "weekdays_schedule", + "offPeakLoadBalancingAlgorithm": "DepthFirst", + "offPeakStartTime": { + "hour": 20, + "minute": 0 + }, + "peakLoadBalancingAlgorithm": "DepthFirst", + "peakStartTime": { + "hour": 9, + "minute": 0 + }, + "rampDownCapacityThresholdPct": 90, + "rampDownForceLogoffUsers": true, + "rampDownLoadBalancingAlgorithm": "DepthFirst", + "rampDownMinimumHostsPct": 10, + "rampDownNotificationMessage": "You will be logged off in 30 min. Make sure to save your work.", + "rampDownStartTime": { + "hour": 18, + "minute": 0 + }, + "rampDownStopHostsWhen": "ZeroSessions", + "rampDownWaitTimeMinutes": 30, + "rampUpCapacityThresholdPct": 60, + "rampUpLoadBalancingAlgorithm": "DepthFirst", + "rampUpMinimumHostsPct": 20, + "rampUpStartTime": { + "hour": 7, + "minute": 0 + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/desktop-virtualization/workspace/README.md b/modules/desktop-virtualization/workspace/README.md index 2fab487621..641cdb7674 100644 --- a/modules/desktop-virtualization/workspace/README.md +++ b/modules/desktop-virtualization/workspace/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -204,6 +205,132 @@ module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/desktop-virtualization.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dvwwaf' + params: { + // Required parameters + name: 'dvwwaf001' + // Non-required parameters + appGroupResourceIds: [ + '' + ] + description: 'This is my first AVD Workspace' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + friendlyName: 'My first AVD Workspace' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dvwwaf001" + }, + // Non-required parameters + "appGroupResourceIds": { + "value": [ + "" + ] + }, + "description": { + "value": "This is my first AVD Workspace" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "friendlyName": { + "value": "My first AVD Workspace" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/dev-test-lab/lab/README.md b/modules/dev-test-lab/lab/README.md index b7b777f88b..f4444676bb 100644 --- a/modules/dev-test-lab/lab/README.md +++ b/modules/dev-test-lab/lab/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -625,6 +626,548 @@ module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module lab 'br:bicep/modules/dev-test-lab.lab:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtllwaf' + params: { + // Required parameters + name: 'dtllwaf001' + // Non-required parameters + announcement: { + enabled: 'Enabled' + expirationDate: '2025-12-30T13:00:00Z' + markdown: 'DevTest Lab announcement text.
New line. It also supports Markdown' + title: 'DevTest announcement title' + } + artifactsources: [ + { + branchRef: 'master' + displayName: 'Public Artifact Repo' + folderPath: '/Artifacts' + name: 'Public Repo' + sourceType: 'GitHub' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + } + { + armTemplateFolderPath: '/Environments' + branchRef: 'master' + displayName: 'Public Environment Repo' + name: 'Public Environment Repo' + sourceType: 'GitHub' + status: 'Disabled' + uri: 'https://github.com/Azure/azure-devtestlab.git' + } + ] + artifactsStorageAccount: '' + browserConnect: 'Enabled' + costs: { + cycleType: 'CalendarMonth' + status: 'Enabled' + target: 450 + thresholdValue100DisplayOnChart: 'Enabled' + thresholdValue100SendNotificationWhenExceeded: 'Enabled' + } + disableAutoUpgradeCseMinorVersion: true + enableDefaultTelemetry: '' + encryptionDiskEncryptionSetId: '' + encryptionType: 'EncryptionAtRestWithCustomerKey' + environmentPermission: 'Contributor' + extendedProperties: { + RdpConnectionType: '7' + } + isolateLabResources: 'Enabled' + labStorageType: 'Premium' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + managementIdentitiesResourceIds: [ + '' + ] + notificationchannels: [ + { + description: 'Integration configured for auto-shutdown' + emailRecipient: 'mail@contosodtlmail.com' + events: [ + { + eventName: 'AutoShutdown' + } + ] + name: 'autoShutdown' + notificationLocale: 'en' + webHookUrl: 'https://webhook.contosotest.com' + } + { + events: [ + { + eventName: 'Cost' + } + ] + name: 'costThreshold' + webHookUrl: 'https://webhook.contosotest.com' + } + ] + policies: [ + { + evaluatorType: 'MaxValuePolicy' + factData: '' + factName: 'UserOwnedLabVmCountInSubnet' + name: '' + threshold: '1' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabVmCount' + name: 'MaxVmsAllowedPerUser' + threshold: '2' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'UserOwnedLabPremiumVmCount' + name: 'MaxPremiumVmsAllowedPerUser' + status: 'Disabled' + threshold: '1' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'LabVmCount' + name: 'MaxVmsAllowedPerLab' + threshold: '3' + } + { + evaluatorType: 'MaxValuePolicy' + factName: 'LabPremiumVmCount' + name: 'MaxPremiumVmsAllowedPerLab' + threshold: '2' + } + { + evaluatorType: 'AllowedValuesPolicy' + factData: '' + factName: 'LabVmSize' + name: 'AllowedVmSizesInLab' + status: 'Enabled' + threshold: '' + } + { + evaluatorType: 'AllowedValuesPolicy' + factName: 'ScheduleEditPermission' + name: 'ScheduleEditPermission' + threshold: '' + } + { + evaluatorType: 'AllowedValuesPolicy' + factName: 'GalleryImage' + name: 'GalleryImage' + threshold: '' + } + { + description: 'Public Environment Policy' + evaluatorType: 'AllowedValuesPolicy' + factName: 'EnvironmentTemplate' + name: 'EnvironmentTemplate' + threshold: '' + } + ] + premiumDataDisks: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + schedules: [ + { + dailyRecurrence: { + time: '0000' + } + name: 'LabVmsShutdown' + notificationSettingsStatus: 'Enabled' + notificationSettingsTimeInMinutes: 30 + status: 'Enabled' + taskType: 'LabVmsShutdownTask' + timeZoneId: 'AUS Eastern Standard Time' + } + { + name: 'LabVmAutoStart' + status: 'Enabled' + taskType: 'LabVmsStartupTask' + timeZoneId: 'AUS Eastern Standard Time' + weeklyRecurrence: { + time: '0700' + weekdays: [ + 'Friday' + 'Monday' + 'Thursday' + 'Tuesday' + 'Wednesday' + ] + } + } + ] + support: { + enabled: 'Enabled' + markdown: 'DevTest Lab support text.
New line. It also supports Markdown' + } + tags: { + 'hidden-title': 'This is visible in the resource name' + labName: 'dtllwaf001' + resourceType: 'DevTest Lab' + } + virtualnetworks: [ + { + allowedSubnets: [ + { + allowPublicIp: 'Allow' + labSubnetName: '' + resourceId: '' + } + ] + description: 'lab virtual network description' + externalProviderResourceId: '' + name: '' + subnetOverrides: [ + { + labSubnetName: '' + resourceId: '' + sharedPublicIpAddressConfiguration: { + allowedPorts: [ + { + backendPort: 3389 + transportProtocol: 'Tcp' + } + { + backendPort: 22 + transportProtocol: 'Tcp' + } + ] + } + useInVmCreationPermission: 'Allow' + usePublicIpAddressPermission: 'Allow' + } + ] + } + ] + vmCreationResourceGroupId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtllwaf001" + }, + // Non-required parameters + "announcement": { + "value": { + "enabled": "Enabled", + "expirationDate": "2025-12-30T13:00:00Z", + "markdown": "DevTest Lab announcement text.
New line. It also supports Markdown", + "title": "DevTest announcement title" + } + }, + "artifactsources": { + "value": [ + { + "branchRef": "master", + "displayName": "Public Artifact Repo", + "folderPath": "/Artifacts", + "name": "Public Repo", + "sourceType": "GitHub", + "status": "Disabled", + "uri": "https://github.com/Azure/azure-devtestlab.git" + }, + { + "armTemplateFolderPath": "/Environments", + "branchRef": "master", + "displayName": "Public Environment Repo", + "name": "Public Environment Repo", + "sourceType": "GitHub", + "status": "Disabled", + "uri": "https://github.com/Azure/azure-devtestlab.git" + } + ] + }, + "artifactsStorageAccount": { + "value": "" + }, + "browserConnect": { + "value": "Enabled" + }, + "costs": { + "value": { + "cycleType": "CalendarMonth", + "status": "Enabled", + "target": 450, + "thresholdValue100DisplayOnChart": "Enabled", + "thresholdValue100SendNotificationWhenExceeded": "Enabled" + } + }, + "disableAutoUpgradeCseMinorVersion": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionDiskEncryptionSetId": { + "value": "" + }, + "encryptionType": { + "value": "EncryptionAtRestWithCustomerKey" + }, + "environmentPermission": { + "value": "Contributor" + }, + "extendedProperties": { + "value": { + "RdpConnectionType": "7" + } + }, + "isolateLabResources": { + "value": "Enabled" + }, + "labStorageType": { + "value": "Premium" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managementIdentitiesResourceIds": { + "value": [ + "" + ] + }, + "notificationchannels": { + "value": [ + { + "description": "Integration configured for auto-shutdown", + "emailRecipient": "mail@contosodtlmail.com", + "events": [ + { + "eventName": "AutoShutdown" + } + ], + "name": "autoShutdown", + "notificationLocale": "en", + "webHookUrl": "https://webhook.contosotest.com" + }, + { + "events": [ + { + "eventName": "Cost" + } + ], + "name": "costThreshold", + "webHookUrl": "https://webhook.contosotest.com" + } + ] + }, + "policies": { + "value": [ + { + "evaluatorType": "MaxValuePolicy", + "factData": "", + "factName": "UserOwnedLabVmCountInSubnet", + "name": "", + "threshold": "1" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "UserOwnedLabVmCount", + "name": "MaxVmsAllowedPerUser", + "threshold": "2" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "UserOwnedLabPremiumVmCount", + "name": "MaxPremiumVmsAllowedPerUser", + "status": "Disabled", + "threshold": "1" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "LabVmCount", + "name": "MaxVmsAllowedPerLab", + "threshold": "3" + }, + { + "evaluatorType": "MaxValuePolicy", + "factName": "LabPremiumVmCount", + "name": "MaxPremiumVmsAllowedPerLab", + "threshold": "2" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factData": "", + "factName": "LabVmSize", + "name": "AllowedVmSizesInLab", + "status": "Enabled", + "threshold": "" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factName": "ScheduleEditPermission", + "name": "ScheduleEditPermission", + "threshold": "" + }, + { + "evaluatorType": "AllowedValuesPolicy", + "factName": "GalleryImage", + "name": "GalleryImage", + "threshold": "" + }, + { + "description": "Public Environment Policy", + "evaluatorType": "AllowedValuesPolicy", + "factName": "EnvironmentTemplate", + "name": "EnvironmentTemplate", + "threshold": "" + } + ] + }, + "premiumDataDisks": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "schedules": { + "value": [ + { + "dailyRecurrence": { + "time": "0000" + }, + "name": "LabVmsShutdown", + "notificationSettingsStatus": "Enabled", + "notificationSettingsTimeInMinutes": 30, + "status": "Enabled", + "taskType": "LabVmsShutdownTask", + "timeZoneId": "AUS Eastern Standard Time" + }, + { + "name": "LabVmAutoStart", + "status": "Enabled", + "taskType": "LabVmsStartupTask", + "timeZoneId": "AUS Eastern Standard Time", + "weeklyRecurrence": { + "time": "0700", + "weekdays": [ + "Friday", + "Monday", + "Thursday", + "Tuesday", + "Wednesday" + ] + } + } + ] + }, + "support": { + "value": { + "enabled": "Enabled", + "markdown": "DevTest Lab support text.
New line. It also supports Markdown" + } + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "labName": "dtllwaf001", + "resourceType": "DevTest Lab" + } + }, + "virtualnetworks": { + "value": [ + { + "allowedSubnets": [ + { + "allowPublicIp": "Allow", + "labSubnetName": "", + "resourceId": "" + } + ], + "description": "lab virtual network description", + "externalProviderResourceId": "", + "name": "", + "subnetOverrides": [ + { + "labSubnetName": "", + "resourceId": "", + "sharedPublicIpAddressConfiguration": { + "allowedPorts": [ + { + "backendPort": 3389, + "transportProtocol": "Tcp" + }, + { + "backendPort": 22, + "transportProtocol": "Tcp" + } + ] + }, + "useInVmCreationPermission": "Allow", + "usePublicIpAddressPermission": "Allow" + } + ] + } + ] + }, + "vmCreationResourceGroupId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/digital-twins/digital-twins-instance/README.md b/modules/digital-twins/digital-twins-instance/README.md index bed016932f..574c196c63 100644 --- a/modules/digital-twins/digital-twins-instance/README.md +++ b/modules/digital-twins/digital-twins-instance/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -261,6 +262,186 @@ module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instan

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module digitalTwinsInstance 'br:bicep/modules/digital-twins.digital-twins-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-dtdtiwaf' + params: { + // Required parameters + name: 'dtdtiwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventGridEndpoint: { + eventGridDomainId: '' + topicEndpoint: '' + } + eventHubEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: '' + entityPath: '' + userAssignedIdentity: '' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + serviceBusEndpoint: { + authenticationType: 'IdentityBased' + endpointUri: '' + entityPath: '' + userAssignedIdentity: '' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "dtdtiwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventGridEndpoint": { + "value": { + "eventGridDomainId": "", + "topicEndpoint": "" + } + }, + "eventHubEndpoint": { + "value": { + "authenticationType": "IdentityBased", + "endpointUri": "", + "entityPath": "", + "userAssignedIdentity": "" + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "serviceBusEndpoint": { + "value": { + "authenticationType": "IdentityBased", + "endpointUri": "", + "entityPath": "", + "userAssignedIdentity": "" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/domain/README.md b/modules/event-grid/domain/README.md index be9e32e179..38f46a6a77 100644 --- a/modules/event-grid/domain/README.md +++ b/modules/event-grid/domain/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -335,6 +336,174 @@ module domain 'br:bicep/modules/event-grid.domain:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module domain 'br:bicep/modules/event-grid.domain:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egdwaf' + params: { + // Required parameters + name: 'egdwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'domain' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + topics: [ + 'topic-egdwaf001' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egdwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "inboundIpRules": { + "value": [ + { + "action": "Allow", + "ipMask": "40.74.28.0/23" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "domain", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "topics": { + "value": [ + "topic-egdwaf001" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/system-topic/README.md b/modules/event-grid/system-topic/README.md index 526c04d4a7..e46107cf3b 100644 --- a/modules/event-grid/system-topic/README.md +++ b/modules/event-grid/system-topic/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -269,6 +270,188 @@ module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module systemTopic 'br:bicep/modules/event-grid.system-topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egstwaf' + params: { + // Required parameters + name: 'egstwaf001' + source: '' + topicType: 'Microsoft.Storage.StorageAccounts' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventSubscriptions: [ + { + destination: { + endpointType: 'StorageQueue' + properties: { + queueMessageTimeToLiveInSeconds: 86400 + queueName: '' + resourceId: '' + } + } + enableDefaultTelemetry: '' + eventDeliverySchema: 'CloudEventSchemaV1_0' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + enableAdvancedFilteringOnArrays: true + isSubjectCaseSensitive: false + } + name: 'egstwaf001' + retryPolicy: { + eventTimeToLive: '120' + maxDeliveryAttempts: 10 + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egstwaf001" + }, + "source": { + "value": "" + }, + "topicType": { + "value": "Microsoft.Storage.StorageAccounts" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventSubscriptions": { + "value": [ + { + "destination": { + "endpointType": "StorageQueue", + "properties": { + "queueMessageTimeToLiveInSeconds": 86400, + "queueName": "", + "resourceId": "" + } + }, + "enableDefaultTelemetry": "", + "eventDeliverySchema": "CloudEventSchemaV1_0", + "expirationTimeUtc": "2099-01-01T11:00:21.715Z", + "filter": { + "enableAdvancedFilteringOnArrays": true, + "isSubjectCaseSensitive": false + }, + "name": "egstwaf001", + "retryPolicy": { + "eventTimeToLive": "120", + "maxDeliveryAttempts": 10 + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-grid/topic/README.md b/modules/event-grid/topic/README.md index 8ae1c9ebdf..a00df258c6 100644 --- a/modules/event-grid/topic/README.md +++ b/modules/event-grid/topic/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -377,6 +378,216 @@ module topic 'br:bicep/modules/event-grid.topic:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module topic 'br:bicep/modules/event-grid.topic:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-egtwaf' + params: { + // Required parameters + name: 'egtwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventSubscriptions: [ + { + destination: { + endpointType: 'StorageQueue' + properties: { + queueMessageTimeToLiveInSeconds: 86400 + queueName: '' + resourceId: '' + } + } + enableDefaultTelemetry: '' + eventDeliverySchema: 'CloudEventSchemaV1_0' + expirationTimeUtc: '2099-01-01T11:00:21.715Z' + filter: { + enableAdvancedFilteringOnArrays: true + isSubjectCaseSensitive: false + } + name: 'egtwaf001' + retryPolicy: { + eventTimeToLive: '120' + maxDeliveryAttempts: 10 + } + } + ] + inboundIpRules: [ + { + action: 'Allow' + ipMask: '40.74.28.0/23' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'topic' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "egtwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventSubscriptions": { + "value": [ + { + "destination": { + "endpointType": "StorageQueue", + "properties": { + "queueMessageTimeToLiveInSeconds": 86400, + "queueName": "", + "resourceId": "" + } + }, + "enableDefaultTelemetry": "", + "eventDeliverySchema": "CloudEventSchemaV1_0", + "expirationTimeUtc": "2099-01-01T11:00:21.715Z", + "filter": { + "enableAdvancedFilteringOnArrays": true, + "isSubjectCaseSensitive": false + }, + "name": "egtwaf001", + "retryPolicy": { + "eventTimeToLive": "120", + "maxDeliveryAttempts": 10 + } + } + ] + }, + "inboundIpRules": { + "value": [ + { + "action": "Allow", + "ipMask": "40.74.28.0/23" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "topic", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/event-hub/namespace/README.md b/modules/event-hub/namespace/README.md index 11384fca9e..c9fd2a30dd 100644 --- a/modules/event-hub/namespace/README.md +++ b/modules/event-hub/namespace/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -676,6 +677,402 @@ module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/event-hub.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ehnwaf' + params: { + // Required parameters + name: 'ehnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + eventhubs: [ + { + name: 'az-evh-x-001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'SendListenAccess' + rights: [ + 'Listen' + 'Send' + ] + } + ] + captureDescriptionDestinationArchiveNameFormat: '{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}' + captureDescriptionDestinationBlobContainer: 'eventhub' + captureDescriptionDestinationName: 'EventHubArchive.AzureBlockBlob' + captureDescriptionDestinationStorageAccountResourceId: '' + captureDescriptionEnabled: true + captureDescriptionEncoding: 'Avro' + captureDescriptionIntervalInSeconds: 300 + captureDescriptionSizeLimitInBytes: 314572800 + captureDescriptionSkipEmptyArchives: true + consumergroups: [ + { + name: 'custom' + userMetadata: 'customMetadata' + } + ] + messageRetentionInDays: 1 + name: 'az-evh-x-002' + partitionCount: 2 + retentionDescriptionCleanupPolicy: 'Delete' + retentionDescriptionRetentionTimeInHours: 3 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + status: 'Active' + } + { + name: 'az-evh-x-003' + retentionDescriptionCleanupPolicy: 'Compact' + retentionDescriptionTombstoneRetentionTimeInHours: 24 + } + ] + isAutoInflateEnabled: true + kafkaEnabled: true + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + maximumThroughputUnits: 4 + minimumTlsVersion: '1.2' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.10.10.10' + } + ] + trustedServiceAccessEnabled: false + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: '' + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 2 + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ehnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "SendListenAccess", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventhubs": { + "value": [ + { + "name": "az-evh-x-001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "SendListenAccess", + "rights": [ + "Listen", + "Send" + ] + } + ], + "captureDescriptionDestinationArchiveNameFormat": "{Namespace}/{EventHub}/{PartitionId}/{Year}/{Month}/{Day}/{Hour}/{Minute}/{Second}", + "captureDescriptionDestinationBlobContainer": "eventhub", + "captureDescriptionDestinationName": "EventHubArchive.AzureBlockBlob", + "captureDescriptionDestinationStorageAccountResourceId": "", + "captureDescriptionEnabled": true, + "captureDescriptionEncoding": "Avro", + "captureDescriptionIntervalInSeconds": 300, + "captureDescriptionSizeLimitInBytes": 314572800, + "captureDescriptionSkipEmptyArchives": true, + "consumergroups": [ + { + "name": "custom", + "userMetadata": "customMetadata" + } + ], + "messageRetentionInDays": 1, + "name": "az-evh-x-002", + "partitionCount": 2, + "retentionDescriptionCleanupPolicy": "Delete", + "retentionDescriptionRetentionTimeInHours": 3, + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "status": "Active" + }, + { + "name": "az-evh-x-003", + "retentionDescriptionCleanupPolicy": "Compact", + "retentionDescriptionTombstoneRetentionTimeInHours": 24 + } + ] + }, + "isAutoInflateEnabled": { + "value": true + }, + "kafkaEnabled": { + "value": true + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "maximumThroughputUnits": { + "value": 4 + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.10.10.10" + } + ], + "trustedServiceAccessEnabled": false, + "virtualNetworkRules": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnetResourceId": "" + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/health-bot/health-bot/README.md b/modules/health-bot/health-bot/README.md index 794c1f2f31..5d2aacf68b 100644 --- a/modules/health-bot/health-bot/README.md +++ b/modules/health-bot/health-bot/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -183,6 +184,108 @@ module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module healthBot 'br:bicep/modules/health-bot.health-bot:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-hbhbwaf' + params: { + // Required parameters + name: 'hbhbwaf001' + sku: 'F0' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hbhbwaf001" + }, + "sku": { + "value": "F0" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/healthcare-apis/workspace/README.md b/modules/healthcare-apis/workspace/README.md index 75580c51f9..5c58fab11a 100644 --- a/modules/healthcare-apis/workspace/README.md +++ b/modules/healthcare-apis/workspace/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -373,6 +374,288 @@ module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/healthcare-apis.workspace:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-hawwaf' + params: { + // Required parameters + name: 'hawwaf001' + // Non-required parameters + dicomservices: [ + { + corsAllowCredentials: false + corsHeaders: [ + '*' + ] + corsMaxAge: 600 + corsMethods: [ + 'GET' + ] + corsOrigins: [ + '*' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'az-dicom-x-001' + publicNetworkAccess: 'Enabled' + workspaceName: 'hawwaf001' + } + ] + enableDefaultTelemetry: '' + fhirservices: [ + { + corsAllowCredentials: false + corsHeaders: [ + '*' + ] + corsMaxAge: 600 + corsMethods: [ + 'GET' + ] + corsOrigins: [ + '*' + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + importEnabled: false + initialImportMode: false + kind: 'fhir-R4' + location: '' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'az-fhir-x-001' + publicNetworkAccess: 'Enabled' + resourceVersionPolicy: 'versioned' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '' + } + ] + smartProxyEnabled: false + workspaceName: 'hawwaf001' + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "hawwaf001" + }, + // Non-required parameters + "dicomservices": { + "value": [ + { + "corsAllowCredentials": false, + "corsHeaders": [ + "*" + ], + "corsMaxAge": 600, + "corsMethods": [ + "GET" + ], + "corsOrigins": [ + "*" + ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "enableDefaultTelemetry": "", + "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "az-dicom-x-001", + "publicNetworkAccess": "Enabled", + "workspaceName": "hawwaf001" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fhirservices": { + "value": [ + { + "corsAllowCredentials": false, + "corsHeaders": [ + "*" + ], + "corsMaxAge": 600, + "corsMethods": [ + "GET" + ], + "corsOrigins": [ + "*" + ], + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "enableDefaultTelemetry": "", + "importEnabled": false, + "initialImportMode": false, + "kind": "fhir-R4", + "location": "", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "az-fhir-x-001", + "publicNetworkAccess": "Enabled", + "resourceVersionPolicy": "versioned", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "" + } + ], + "smartProxyEnabled": false, + "workspaceName": "hawwaf001" + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/action-group/README.md b/modules/insights/action-group/README.md index d0edf08b29..36196c3663 100644 --- a/modules/insights/action-group/README.md +++ b/modules/insights/action-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -205,6 +206,128 @@ module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module actionGroup 'br:bicep/modules/insights.action-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-iagwaf' + params: { + // Required parameters + groupShortName: 'agiagwaf001' + name: 'iagwaf001' + // Non-required parameters + emailReceivers: [ + { + emailAddress: 'test.user@testcompany.com' + name: 'TestUser_-EmailAction-' + useCommonAlertSchema: true + } + { + emailAddress: 'test.user2@testcompany.com' + name: 'TestUser2' + useCommonAlertSchema: true + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + smsReceivers: [ + { + countryCode: '1' + name: 'TestUser_-SMSAction-' + phoneNumber: '2345678901' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupShortName": { + "value": "agiagwaf001" + }, + "name": { + "value": "iagwaf001" + }, + // Non-required parameters + "emailReceivers": { + "value": [ + { + "emailAddress": "test.user@testcompany.com", + "name": "TestUser_-EmailAction-", + "useCommonAlertSchema": true + }, + { + "emailAddress": "test.user2@testcompany.com", + "name": "TestUser2", + "useCommonAlertSchema": true + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "smsReceivers": { + "value": [ + { + "countryCode": "1", + "name": "TestUser_-SMSAction-", + "phoneNumber": "2345678901" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/activity-log-alert/README.md b/modules/insights/activity-log-alert/README.md index 5af0e285e5..09d6045d46 100644 --- a/modules/insights/activity-log-alert/README.md +++ b/modules/insights/activity-log-alert/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.activity-log-alert:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -189,6 +190,168 @@ module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module activityLogAlert 'br:bicep/modules/insights.activity-log-alert:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ialawaf' + params: { + // Required parameters + conditions: [ + { + equals: 'ServiceHealth' + field: 'category' + } + { + anyOf: [ + { + equals: 'Incident' + field: 'properties.incidentType' + } + { + equals: 'Maintenance' + field: 'properties.incidentType' + } + ] + } + { + containsAny: [ + 'Action Groups' + 'Activity Logs & Alerts' + ] + field: 'properties.impactedServices[*].ServiceName' + } + { + containsAny: [ + 'Global' + 'West Europe' + ] + field: 'properties.impactedServices[*].ImpactedRegions[*].RegionName' + } + ] + name: 'ialawaf001' + // Non-required parameters + actions: [ + { + actionGroupId: '' + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopes: [ + '' + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "conditions": { + "value": [ + { + "equals": "ServiceHealth", + "field": "category" + }, + { + "anyOf": [ + { + "equals": "Incident", + "field": "properties.incidentType" + }, + { + "equals": "Maintenance", + "field": "properties.incidentType" + } + ] + }, + { + "containsAny": [ + "Action Groups", + "Activity Logs & Alerts" + ], + "field": "properties.impactedServices[*].ServiceName" + }, + { + "containsAny": [ + "Global", + "West Europe" + ], + "field": "properties.impactedServices[*].ImpactedRegions[*].RegionName" + } + ] + }, + "name": { + "value": "ialawaf001" + }, + // Non-required parameters + "actions": { + "value": [ + { + "actionGroupId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopes": { + "value": [ + "" + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/component/README.md b/modules/insights/component/README.md index 7bbf106053..d3ae5f6d37 100644 --- a/modules/insights/component/README.md +++ b/modules/insights/component/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -191,6 +192,116 @@ module component 'br:bicep/modules/insights.component:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module component 'br:bicep/modules/insights.component:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-icwaf' + params: { + // Required parameters + name: 'icwaf001' + workspaceResourceId: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "icwaf001" + }, + "workspaceResourceId": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/data-collection-endpoint/README.md b/modules/insights/data-collection-endpoint/README.md index 9713158d2b..d6ae7ac41e 100644 --- a/modules/insights/data-collection-endpoint/README.md +++ b/modules/insights/data-collection-endpoint/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -171,6 +172,100 @@ module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoin

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dataCollectionEndpoint 'br:bicep/modules/insights.data-collection-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-idcewaf' + params: { + // Required parameters + name: 'idcewaf001' + // Non-required parameters + enableDefaultTelemetry: '' + kind: 'Windows' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicNetworkAccess: 'Enabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + kind: 'Windows' + resourceType: 'Data Collection Rules' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "idcewaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "kind": { + "value": "Windows" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "kind": "Windows", + "resourceType": "Data Collection Rules" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/diagnostic-setting/README.md b/modules/insights/diagnostic-setting/README.md index a0353d69b1..acfb26a890 100644 --- a/modules/insights/diagnostic-setting/README.md +++ b/modules/insights/diagnostic-setting/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.diagnostic-setting:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -98,6 +99,78 @@ module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' =

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module diagnosticSetting 'br:bicep/modules/insights.diagnostic-setting:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-idswaf' + params: { + enableDefaultTelemetry: '' + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'idswaf001' + storageAccountResourceId: '' + workspaceResourceId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + }, + "eventHubAuthorizationRuleResourceId": { + "value": "" + }, + "eventHubName": { + "value": "" + }, + "metricCategories": { + "value": [ + { + "category": "AllMetrics" + } + ] + }, + "name": { + "value": "idswaf001" + }, + "storageAccountResourceId": { + "value": "" + }, + "workspaceResourceId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/metric-alert/README.md b/modules/insights/metric-alert/README.md index a213c126aa..2a8c4ddd54 100644 --- a/modules/insights/metric-alert/README.md +++ b/modules/insights/metric-alert/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.metric-alert:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -151,6 +152,130 @@ module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module metricAlert 'br:bicep/modules/insights.metric-alert:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-imawaf' + params: { + // Required parameters + criterias: [ + { + criterionType: 'StaticThresholdCriterion' + metricName: 'Percentage CPU' + metricNamespace: 'microsoft.compute/virtualmachines' + name: 'HighCPU' + operator: 'GreaterThan' + threshold: '90' + timeAggregation: 'Average' + } + ] + name: 'imawaf001' + // Non-required parameters + actions: [ + '' + ] + alertCriteriaType: 'Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria' + enableDefaultTelemetry: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + targetResourceRegion: 'westeurope' + targetResourceType: 'microsoft.compute/virtualmachines' + windowSize: 'PT15M' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "criterias": { + "value": [ + { + "criterionType": "StaticThresholdCriterion", + "metricName": "Percentage CPU", + "metricNamespace": "microsoft.compute/virtualmachines", + "name": "HighCPU", + "operator": "GreaterThan", + "threshold": "90", + "timeAggregation": "Average" + } + ] + }, + "name": { + "value": "imawaf001" + }, + // Non-required parameters + "actions": { + "value": [ + "" + ] + }, + "alertCriteriaType": { + "value": "Microsoft.Azure.Monitor.MultipleResourceMultipleMetricCriteria" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "targetResourceRegion": { + "value": "westeurope" + }, + "targetResourceType": { + "value": "microsoft.compute/virtualmachines" + }, + "windowSize": { + "value": "PT15M" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/private-link-scope/README.md b/modules/insights/private-link-scope/README.md index 57e6b05caa..847be38edc 100644 --- a/modules/insights/private-link-scope/README.md +++ b/modules/insights/private-link-scope/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -196,6 +197,123 @@ This instance deploys the module with most of its features enabled.

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep + name: '${uniqueString(deployment().name, location)}-test-iplswaf' + params: { + // Required parameters + name: 'iplswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopedResources: [ + { + linkedResourceId: '' + name: 'scoped1' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "iplswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopedResources": { + "value": [ + { + "linkedResourceId": "", + "name": "scoped1" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/scheduled-query-rule/README.md b/modules/insights/scheduled-query-rule/README.md index b84ede93c0..c243ee7cbb 100644 --- a/modules/insights/scheduled-query-rule/README.md +++ b/modules/insights/scheduled-query-rule/README.md @@ -26,6 +26,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/insights.scheduled-query-rule:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -191,6 +192,170 @@ module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0'

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module scheduledQueryRule 'br:bicep/modules/insights.scheduled-query-rule:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-isqrwaf' + params: { + // Required parameters + criterias: { + allOf: [ + { + dimensions: [ + { + name: 'Computer' + operator: 'Include' + values: [ + '*' + ] + } + { + name: 'InstanceName' + operator: 'Include' + values: [ + '*' + ] + } + ] + metricMeasureColumn: 'AggregatedValue' + operator: 'GreaterThan' + query: 'Perf | where ObjectName == \'LogicalDisk\' | where CounterName == \'% Free Space\' | where InstanceName <> \'HarddiskVolume1\' and InstanceName <> \'_Total\' | summarize AggregatedValue = min(CounterValue) by Computer InstanceName bin(TimeGenerated5m)' + threshold: 0 + timeAggregation: 'Average' + } + ] + } + name: 'isqrwaf001' + scopes: [ + '' + ] + // Non-required parameters + alertDescription: 'My sample Alert' + autoMitigate: false + enableDefaultTelemetry: '' + evaluationFrequency: 'PT5M' + queryTimeRange: 'PT5M' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + suppressForMinutes: 'PT5M' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + windowSize: 'PT5M' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "criterias": { + "value": { + "allOf": [ + { + "dimensions": [ + { + "name": "Computer", + "operator": "Include", + "values": [ + "*" + ] + }, + { + "name": "InstanceName", + "operator": "Include", + "values": [ + "*" + ] + } + ], + "metricMeasureColumn": "AggregatedValue", + "operator": "GreaterThan", + "query": "Perf | where ObjectName == \"LogicalDisk\" | where CounterName == \"% Free Space\" | where InstanceName <> \"HarddiskVolume1\" and InstanceName <> \"_Total\" | summarize AggregatedValue = min(CounterValue) by Computer, InstanceName, bin(TimeGenerated,5m)", + "threshold": 0, + "timeAggregation": "Average" + } + ] + } + }, + "name": { + "value": "isqrwaf001" + }, + "scopes": { + "value": [ + "" + ] + }, + // Non-required parameters + "alertDescription": { + "value": "My sample Alert" + }, + "autoMitigate": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "evaluationFrequency": { + "value": "PT5M" + }, + "queryTimeRange": { + "value": "PT5M" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "suppressForMinutes": { + "value": "PT5M" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "windowSize": { + "value": "PT5M" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/insights/webtest/README.md b/modules/insights/webtest/README.md index 9d2e805c8a..3f532543ca 100644 --- a/modules/insights/webtest/README.md +++ b/modules/insights/webtest/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -199,6 +200,104 @@ module webtest 'br:bicep/modules/insights.webtest:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module webtest 'br:bicep/modules/insights.webtest:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-iwtwaf' + params: { + // Required parameters + name: 'iwtwaf001' + request: { + HttpVerb: 'GET' + RequestUrl: 'https://learn.microsoft.com/en-us/' + } + tags: { + 'hidden-link:${nestedDependencies.outputs.appInsightResourceId}': 'Resource' + 'hidden-title': 'This is visible in the resource name' + } + webTestName: 'wt$iwtwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + locations: [ + { + Id: 'emea-nl-ams-azr' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + syntheticMonitorId: 'iwtwaf001' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "iwtwaf001" + }, + "request": { + "value": { + "HttpVerb": "GET", + "RequestUrl": "https://learn.microsoft.com/en-us/" + } + }, + "tags": { + "value": { + "hidden-link:${nestedDependencies.outputs.appInsightResourceId}": "Resource", + "hidden-title": "This is visible in the resource name" + } + }, + "webTestName": { + "value": "wt$iwtwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "locations": { + "value": [ + { + "Id": "emea-nl-ams-azr" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "syntheticMonitorId": { + "value": "iwtwaf001" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/key-vault/vault/README.md b/modules/key-vault/vault/README.md index 2072456778..155324660e 100644 --- a/modules/key-vault/vault/README.md +++ b/modules/key-vault/vault/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Accesspolicies_ @@ -775,6 +776,308 @@ module vault 'br:bicep/modules/key-vault.vault:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/key-vault.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kvvwaf' + params: { + // Required parameters + name: 'kvvwaf002' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enablePurgeProtection: false + enableRbacAuthorization: true + keys: [ + { + attributesExp: 1725109032 + attributesNbf: 10000 + name: 'keyName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + rotationPolicy: { + attributes: { + expiryTime: 'P2Y' + } + lifetimeActions: [ + { + action: { + type: 'Rotate' + } + trigger: { + timeBeforeExpiry: 'P2M' + } + } + { + action: { + type: 'Notify' + } + trigger: { + timeBeforeExpiry: 'P30D' + } + } + ] + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + value: '40.74.28.0/23' + } + ] + virtualNetworkRules: [ + { + id: '' + ignoreMissingVnetServiceEndpoint: false + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'vault' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + secrets: { + secureList: [ + { + attributesExp: 1702648632 + attributesNbf: 10000 + contentType: 'Something' + name: 'secretName' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + value: 'secretValue' + } + ] + } + softDeleteRetentionInDays: 7 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "kvvwaf002" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enablePurgeProtection": { + "value": false + }, + "enableRbacAuthorization": { + "value": true + }, + "keys": { + "value": [ + { + "attributesExp": 1725109032, + "attributesNbf": 10000, + "name": "keyName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "rotationPolicy": { + "attributes": { + "expiryTime": "P2Y" + }, + "lifetimeActions": [ + { + "action": { + "type": "Rotate" + }, + "trigger": { + "timeBeforeExpiry": "P2M" + } + }, + { + "action": { + "type": "Notify" + }, + "trigger": { + "timeBeforeExpiry": "P30D" + } + } + ] + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "value": "40.74.28.0/23" + } + ], + "virtualNetworkRules": [ + { + "id": "", + "ignoreMissingVnetServiceEndpoint": false + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "vault", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "secrets": { + "value": { + "secureList": [ + { + "attributesExp": 1702648632, + "attributesNbf": 10000, + "contentType": "Something", + "name": "secretName", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "value": "secretValue" + } + ] + } + }, + "softDeleteRetentionInDays": { + "value": 7 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/kubernetes-configuration/extension/README.md b/modules/kubernetes-configuration/extension/README.md index 34c51d8bc7..9019bb4998 100644 --- a/modules/kubernetes-configuration/extension/README.md +++ b/modules/kubernetes-configuration/extension/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -208,6 +209,120 @@ module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module extension 'br:bicep/modules/kubernetes-configuration.extension:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kcewaf' + params: { + // Required parameters + clusterName: '' + extensionType: 'microsoft.flux' + name: 'kcewaf001' + // Non-required parameters + configurationSettings: { + 'image-automation-controller.enabled': 'false' + 'image-reflector-controller.enabled': 'false' + 'kustomize-controller.enabled': 'true' + 'notification-controller.enabled': 'false' + 'source-controller.enabled': 'true' + } + enableDefaultTelemetry: '' + fluxConfigurations: [ + { + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + namespace: 'flux-system' + } + ] + releaseNamespace: 'flux-system' + releaseTrain: 'Stable' + version: '0.5.2' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "clusterName": { + "value": "" + }, + "extensionType": { + "value": "microsoft.flux" + }, + "name": { + "value": "kcewaf001" + }, + // Non-required parameters + "configurationSettings": { + "value": { + "image-automation-controller.enabled": "false", + "image-reflector-controller.enabled": "false", + "kustomize-controller.enabled": "true", + "notification-controller.enabled": "false", + "source-controller.enabled": "true" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fluxConfigurations": { + "value": [ + { + "gitRepository": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + }, + "namespace": "flux-system" + } + ] + }, + "releaseNamespace": { + "value": "flux-system" + }, + "releaseTrain": { + "value": "Stable" + }, + "version": { + "value": "0.5.2" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/kubernetes-configuration/flux-configuration/README.md b/modules/kubernetes-configuration/flux-configuration/README.md index 22030b57cc..31ff175b92 100644 --- a/modules/kubernetes-configuration/flux-configuration/README.md +++ b/modules/kubernetes-configuration/flux-configuration/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -212,6 +213,108 @@ module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configu

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module fluxConfiguration 'br:bicep/modules/kubernetes-configuration.flux-configuration:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-kcfcwaf' + params: { + // Required parameters + clusterName: '' + name: 'kcfcwaf001' + namespace: 'flux-system' + sourceKind: 'GitRepository' + // Non-required parameters + enableDefaultTelemetry: '' + gitRepository: { + repositoryRef: { + branch: 'main' + } + sshKnownHosts: '' + syncIntervalInSeconds: 300 + timeoutInSeconds: 180 + url: 'https://github.com/mspnp/aks-baseline' + } + kustomizations: { + unified: { + dependsOn: [] + force: false + path: './cluster-manifests' + prune: true + syncIntervalInSeconds: 300 + timeoutInSeconds: 300 + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "clusterName": { + "value": "" + }, + "name": { + "value": "kcfcwaf001" + }, + "namespace": { + "value": "flux-system" + }, + "sourceKind": { + "value": "GitRepository" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "gitRepository": { + "value": { + "repositoryRef": { + "branch": "main" + }, + "sshKnownHosts": "", + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 180, + "url": "https://github.com/mspnp/aks-baseline" + } + }, + "kustomizations": { + "value": { + "unified": { + "dependsOn": [], + "force": false, + "path": "./cluster-manifests", + "prune": true, + "syncIntervalInSeconds": 300, + "timeoutInSeconds": 300 + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/logic/workflow/README.md b/modules/logic/workflow/README.md index ab3cbde145..9febb50863 100644 --- a/modules/logic/workflow/README.md +++ b/modules/logic/workflow/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/logic.workflow:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -224,6 +225,200 @@ module workflow 'br:bicep/modules/logic.workflow:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workflow 'br:bicep/modules/logic.workflow:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-lwwaf' + params: { + // Required parameters + name: 'lwwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + workflowActions: { + HTTP: { + inputs: { + body: { + BeginPeakTime: '' + EndPeakTime: '' + HostPoolName: '' + LAWorkspaceName: '' + LimitSecondsToForceLogOffUser: '' + LogOffMessageBody: '' + LogOffMessageTitle: '' + MinimumNumberOfRDSH: 1 + ResourceGroupName: '' + SessionThresholdPerCPU: 1 + UtcOffset: '' + } + method: 'POST' + uri: 'https://testStringForValidation.com' + } + type: 'Http' + } + } + workflowTriggers: { + Recurrence: { + recurrence: { + frequency: 'Minute' + interval: 15 + } + type: 'Recurrence' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "lwwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "workflowActions": { + "value": { + "HTTP": { + "inputs": { + "body": { + "BeginPeakTime": "", + "EndPeakTime": "", + "HostPoolName": "", + "LAWorkspaceName": "", + "LimitSecondsToForceLogOffUser": "", + "LogOffMessageBody": "", + "LogOffMessageTitle": "", + "MinimumNumberOfRDSH": 1, + "ResourceGroupName": "", + "SessionThresholdPerCPU": 1, + "UtcOffset": "" + }, + "method": "POST", + "uri": "https://testStringForValidation.com" + }, + "type": "Http" + } + } + }, + "workflowTriggers": { + "value": { + "Recurrence": { + "recurrence": { + "frequency": "Minute", + "interval": 15 + }, + "type": "Recurrence" + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/machine-learning-services/workspace/README.md b/modules/machine-learning-services/workspace/README.md index e40a7da849..73ef5e3ceb 100644 --- a/modules/machine-learning-services/workspace/README.md +++ b/modules/machine-learning-services/workspace/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -492,6 +493,258 @@ module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' =

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/machine-learning-services.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mlswwaf' + params: { + // Required parameters + associatedApplicationInsightsResourceId: '' + associatedKeyVaultResourceId: '' + associatedStorageAccountResourceId: '' + name: 'mlswwaf001' + sku: 'Premium' + // Non-required parameters + computes: [ + { + computeLocation: 'westeurope' + computeType: 'AmlCompute' + description: 'Default CPU Cluster' + disableLocalAuth: false + location: 'westeurope' + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + name: 'DefaultCPU' + properties: { + enableNodePublicIp: true + isolatedNetwork: false + osType: 'Linux' + remoteLoginPortPublicAccess: 'Disabled' + scaleSettings: { + maxNodeCount: 3 + minNodeCount: 0 + nodeIdleTimeBeforeScaleDown: 'PT5M' + } + vmPriority: 'Dedicated' + vmSize: 'STANDARD_DS11_V2' + } + sku: 'Basic' + } + ] + description: 'The cake is a lie.' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + discoveryUrl: 'http://example.com' + enableDefaultTelemetry: '' + imageBuildCompute: 'testcompute' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: false + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentity: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "associatedApplicationInsightsResourceId": { + "value": "" + }, + "associatedKeyVaultResourceId": { + "value": "" + }, + "associatedStorageAccountResourceId": { + "value": "" + }, + "name": { + "value": "mlswwaf001" + }, + "sku": { + "value": "Premium" + }, + // Non-required parameters + "computes": { + "value": [ + { + "computeLocation": "westeurope", + "computeType": "AmlCompute", + "description": "Default CPU Cluster", + "disableLocalAuth": false, + "location": "westeurope", + "managedIdentities": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + }, + "name": "DefaultCPU", + "properties": { + "enableNodePublicIp": true, + "isolatedNetwork": false, + "osType": "Linux", + "remoteLoginPortPublicAccess": "Disabled", + "scaleSettings": { + "maxNodeCount": 3, + "minNodeCount": 0, + "nodeIdleTimeBeforeScaleDown": "PT5M" + }, + "vmPriority": "Dedicated", + "vmSize": "STANDARD_DS11_V2" + }, + "sku": "Basic" + } + ] + }, + "description": { + "value": "The cake is a lie." + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "discoveryUrl": { + "value": "http://example.com" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageBuildCompute": { + "value": "testcompute" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": false, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentity": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/maintenance/maintenance-configuration/README.md b/modules/maintenance/maintenance-configuration/README.md index 187dac5dc9..208ba523f4 100644 --- a/modules/maintenance/maintenance-configuration/README.md +++ b/modules/maintenance/maintenance-configuration/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -229,6 +230,158 @@ module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-config

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module maintenanceConfiguration 'br:bicep/modules/maintenance.maintenance-configuration:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-mmcwaf' + params: { + // Required parameters + name: 'mmcwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + extensionProperties: { + InGuestPatchMode: 'User' + } + installPatches: { + linuxParameters: { + classificationsToInclude: '' + packageNameMasksToExclude: '' + packageNameMasksToInclude: '' + } + rebootSetting: 'IfRequired' + windowsParameters: { + classificationsToInclude: [ + 'Critical' + 'Security' + ] + kbNumbersToExclude: '' + kbNumbersToInclude: '' + } + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maintenanceWindow: { + duration: '03:00' + expirationDateTime: '9999-12-31 23:59:59' + recurEvery: 'Day' + startDateTime: '2022-12-31 13:00' + timeZone: 'W. Europe Standard Time' + } + namespace: 'mmcwafns' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + visibility: 'Custom' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "mmcwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "extensionProperties": { + "value": { + "InGuestPatchMode": "User" + } + }, + "installPatches": { + "value": { + "linuxParameters": { + "classificationsToInclude": "", + "packageNameMasksToExclude": "", + "packageNameMasksToInclude": "" + }, + "rebootSetting": "IfRequired", + "windowsParameters": { + "classificationsToInclude": [ + "Critical", + "Security" + ], + "kbNumbersToExclude": "", + "kbNumbersToInclude": "" + } + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maintenanceWindow": { + "value": { + "duration": "03:00", + "expirationDateTime": "9999-12-31 23:59:59", + "recurEvery": "Day", + "startDateTime": "2022-12-31 13:00", + "timeZone": "W. Europe Standard Time" + } + }, + "namespace": { + "value": "mmcwafns" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "visibility": { + "value": "Custom" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/managed-identity/user-assigned-identity/README.md b/modules/managed-identity/user-assigned-identity/README.md index d76e767ebe..c2e921ae09 100644 --- a/modules/managed-identity/user-assigned-identity/README.md +++ b/modules/managed-identity/user-assigned-identity/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -174,6 +175,110 @@ module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-ide

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module userAssignedIdentity 'br:bicep/modules/managed-identity.user-assigned-identity:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-miuaiwaf' + params: { + enableDefaultTelemetry: '' + federatedIdentityCredentials: [ + { + audiences: [ + 'api://AzureADTokenExchange' + ] + issuer: '' + name: 'test-fed-cred-miuaiwaf-001' + subject: 'system:serviceaccount:default:workload-identity-sa' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + name: 'miuaiwaf001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "enableDefaultTelemetry": { + "value": "" + }, + "federatedIdentityCredentials": { + "value": [ + { + "audiences": [ + "api://AzureADTokenExchange" + ], + "issuer": "", + "name": "test-fed-cred-miuaiwaf-001", + "subject": "system:serviceaccount:default:workload-identity-sa" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "name": { + "value": "miuaiwaf001" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/managed-services/registration-definition/README.md b/modules/managed-services/registration-definition/README.md index 472774ac03..759632f268 100644 --- a/modules/managed-services/registration-definition/README.md +++ b/modules/managed-services/registration-definition/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Rg](#example-2-rg) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using large parameter set_ @@ -218,6 +219,98 @@ module registrationDefinition 'br:bicep/modules/managed-services.registration-de

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module registrationDefinition 'br:bicep/modules/managed-services.registration-definition:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-msrdwaf' + params: { + // Required parameters + authorizations: [ + { + principalId: '<< SET YOUR PRINCIPAL ID 1 HERE >>' + principalIdDisplayName: 'ResourceModules-Reader' + roleDefinitionId: 'acdd72a7-3385-48ef-bd42-f606fba81ae7' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 2 HERE >>' + principalIdDisplayName: 'ResourceModules-Contributor' + roleDefinitionId: 'b24988ac-6180-42a0-ab88-20f7382dd24c' + } + { + principalId: '<< SET YOUR PRINCIPAL ID 3 HERE >>' + principalIdDisplayName: 'ResourceModules-LHManagement' + roleDefinitionId: '91c1777a-f3dc-4fae-b103-61d183457e46' + } + ] + managedByTenantId: '<< SET YOUR TENANT ID HERE >>' + name: 'Component Validation - msrdwaf Subscription assignment' + registrationDescription: 'Managed by Lighthouse' + // Non-required parameters + enableDefaultTelemetry: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "authorizations": { + "value": [ + { + "principalId": "<< SET YOUR PRINCIPAL ID 1 HERE >>", + "principalIdDisplayName": "ResourceModules-Reader", + "roleDefinitionId": "acdd72a7-3385-48ef-bd42-f606fba81ae7" + }, + { + "principalId": "<< SET YOUR PRINCIPAL ID 2 HERE >>", + "principalIdDisplayName": "ResourceModules-Contributor", + "roleDefinitionId": "b24988ac-6180-42a0-ab88-20f7382dd24c" + }, + { + "principalId": "<< SET YOUR PRINCIPAL ID 3 HERE >>", + "principalIdDisplayName": "ResourceModules-LHManagement", + "roleDefinitionId": "91c1777a-f3dc-4fae-b103-61d183457e46" + } + ] + }, + "managedByTenantId": { + "value": "<< SET YOUR TENANT ID HERE >>" + }, + "name": { + "value": "Component Validation - msrdwaf Subscription assignment" + }, + "registrationDescription": { + "value": "Managed by Lighthouse" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/management/management-group/README.md b/modules/management/management-group/README.md index 38c1b4d408..d5e7a66097 100644 --- a/modules/management/management-group/README.md +++ b/modules/management/management-group/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -136,6 +137,62 @@ module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managementGroup 'br:bicep/modules/management.management-group:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-mmgwaf' + params: { + // Required parameters + name: 'mmgwaf001' + // Non-required parameters + displayName: 'Test MG' + enableDefaultTelemetry: '' + parentId: '' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "mmgwaf001" + }, + // Non-required parameters + "displayName": { + "value": "Test MG" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "parentId": { + "value": "" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-gateway-web-application-firewall-policy/README.md b/modules/network/application-gateway-web-application-firewall-policy/README.md index feb78de452..9b9ea51250 100644 --- a/modules/network/application-gateway-web-application-firewall-policy/README.md +++ b/modules/network/application-gateway-web-application-firewall-policy/README.md @@ -25,6 +25,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -128,6 +129,108 @@ module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGatewayWebApplicationFirewallPolicy 'br:bicep/modules/network.application-gateway-web-application-firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' + params: { + // Required parameters + name: 'nagwafpwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + managedRules: { + managedRuleSets: [ + { + ruleGroupOverrides: [] + ruleSetType: 'OWASP' + ruleSetVersion: '3.2' + } + { + ruleGroupOverrides: [] + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '0.1' + } + ] + } + policySettings: { + fileUploadLimitInMb: 10 + mode: 'Prevention' + state: 'Enabled' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nagwafpwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "managedRules": { + "value": { + "managedRuleSets": [ + { + "ruleGroupOverrides": [], + "ruleSetType": "OWASP", + "ruleSetVersion": "3.2" + }, + { + "ruleGroupOverrides": [], + "ruleSetType": "Microsoft_BotManagerRuleSet", + "ruleSetVersion": "0.1" + } + ] + } + }, + "policySettings": { + "value": { + "fileUploadLimitInMb": 10, + "mode": "Prevention", + "state": "Enabled" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-gateway/README.md b/modules/network/application-gateway/README.md index 853769d2f6..0a7a5b8a1f 100644 --- a/modules/network/application-gateway/README.md +++ b/modules/network/application-gateway/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-gateway:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -965,6 +966,940 @@ module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' =

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationGateway 'br:bicep/modules/network.application-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwaf' + params: { + // Required parameters + name: '' + // Non-required parameters + backendAddressPools: [ + { + name: 'appServiceBackendPool' + properties: { + backendAddresses: [ + { + fqdn: 'aghapp.azurewebsites.net' + } + ] + } + } + { + name: 'privateVmBackendPool' + properties: { + backendAddresses: [ + { + ipAddress: '10.0.0.4' + } + ] + } + } + ] + backendHttpSettingsCollection: [ + { + name: 'appServiceBackendHttpsSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: true + port: 443 + protocol: 'Https' + requestTimeout: 30 + } + } + { + name: 'privateVmHttpSetting' + properties: { + cookieBasedAffinity: 'Disabled' + pickHostNameFromBackendAddress: false + port: 80 + probe: { + id: '' + } + protocol: 'Http' + requestTimeout: 30 + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableHttp2: true + frontendIPConfigurations: [ + { + name: 'private' + properties: { + privateIPAddress: '10.0.0.20' + privateIPAllocationMethod: 'Static' + subnet: { + id: '' + } + } + } + { + name: 'public' + properties: { + privateIPAllocationMethod: 'Dynamic' + privateLinkConfiguration: { + id: '' + } + publicIPAddress: { + id: '' + } + } + } + ] + frontendPorts: [ + { + name: 'port443' + properties: { + port: 443 + } + } + { + name: 'port4433' + properties: { + port: 4433 + } + } + { + name: 'port80' + properties: { + port: 80 + } + } + { + name: 'port8080' + properties: { + port: 8080 + } + } + ] + gatewayIPConfigurations: [ + { + name: 'apw-ip-configuration' + properties: { + subnet: { + id: '' + } + } + } + ] + httpListeners: [ + { + name: 'public443' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '' + } + } + } + { + name: 'private4433' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'https' + requireServerNameIndication: false + sslCertificate: { + id: '' + } + } + } + { + name: 'httpRedirect80' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + { + name: 'httpRedirect8080' + properties: { + frontendIPConfiguration: { + id: '' + } + frontendPort: { + id: '' + } + hostNames: [] + protocol: 'Http' + requireServerNameIndication: false + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'public' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + Role: 'DeploymentValidation' + } + } + ] + privateLinkConfigurations: [ + { + id: '' + name: 'pvtlink01' + properties: { + ipConfigurations: [ + { + id: '' + name: 'privateLinkIpConfig1' + properties: { + primary: false + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: '' + } + } + } + ] + } + } + ] + probes: [ + { + name: 'privateVmHttpSettingProbe' + properties: { + host: '10.0.0.4' + interval: 60 + match: { + statusCodes: [ + '200' + '401' + ] + } + minServers: 3 + path: '/' + pickHostNameFromBackendHttpSettings: false + protocol: 'Http' + timeout: 15 + unhealthyThreshold: 5 + } + } + ] + redirectConfigurations: [ + { + name: 'httpRedirect80' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '' + } + ] + targetListener: { + id: '' + } + } + } + { + name: 'httpRedirect8080' + properties: { + includePath: true + includeQueryString: true + redirectType: 'Permanent' + requestRoutingRules: [ + { + id: '' + } + ] + targetListener: { + id: '' + } + } + } + ] + requestRoutingRules: [ + { + name: 'public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting' + properties: { + backendAddressPool: { + id: '' + } + backendHttpSettings: { + id: '' + } + httpListener: { + id: '' + } + priority: 200 + ruleType: 'Basic' + } + } + { + name: 'private4433-privateVmHttpSetting-privateVmHttpSetting' + properties: { + backendAddressPool: { + id: '' + } + backendHttpSettings: { + id: '' + } + httpListener: { + id: '' + } + priority: 250 + ruleType: 'Basic' + } + } + { + name: 'httpRedirect80-public443' + properties: { + httpListener: { + id: '' + } + priority: 300 + redirectConfiguration: { + id: '' + } + ruleType: 'Basic' + } + } + { + name: 'httpRedirect8080-private4433' + properties: { + httpListener: { + id: '' + } + priority: 350 + redirectConfiguration: { + id: '' + } + rewriteRuleSet: { + id: '' + } + ruleType: 'Basic' + } + } + ] + rewriteRuleSets: [ + { + id: '' + name: 'customRewrite' + properties: { + rewriteRules: [ + { + actionSet: { + requestHeaderConfigurations: [ + { + headerName: 'Content-Type' + headerValue: 'JSON' + } + { + headerName: 'someheader' + } + ] + responseHeaderConfigurations: [] + } + conditions: [] + name: 'NewRewrite' + ruleSequence: 100 + } + ] + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'WAF_v2' + sslCertificates: [ + { + name: 'az-apgw-x-001-ssl-certificate' + properties: { + keyVaultSecretId: '' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + webApplicationFirewallConfiguration: { + disabledRuleGroups: [ + { + ruleGroupName: 'Known-CVEs' + } + { + ruleGroupName: 'REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION' + } + { + ruleGroupName: 'REQUEST-941-APPLICATION-ATTACK-XSS' + } + ] + enabled: true + exclusions: [ + { + matchVariable: 'RequestHeaderNames' + selector: 'hola' + selectorMatchOperator: 'StartsWith' + } + ] + fileUploadLimitInMb: 100 + firewallMode: 'Detection' + maxRequestBodySizeInKb: 128 + requestBodyCheck: true + ruleSetType: 'OWASP' + ruleSetVersion: '3.0' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + // Non-required parameters + "backendAddressPools": { + "value": [ + { + "name": "appServiceBackendPool", + "properties": { + "backendAddresses": [ + { + "fqdn": "aghapp.azurewebsites.net" + } + ] + } + }, + { + "name": "privateVmBackendPool", + "properties": { + "backendAddresses": [ + { + "ipAddress": "10.0.0.4" + } + ] + } + } + ] + }, + "backendHttpSettingsCollection": { + "value": [ + { + "name": "appServiceBackendHttpsSetting", + "properties": { + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": true, + "port": 443, + "protocol": "Https", + "requestTimeout": 30 + } + }, + { + "name": "privateVmHttpSetting", + "properties": { + "cookieBasedAffinity": "Disabled", + "pickHostNameFromBackendAddress": false, + "port": 80, + "probe": { + "id": "" + }, + "protocol": "Http", + "requestTimeout": 30 + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableHttp2": { + "value": true + }, + "frontendIPConfigurations": { + "value": [ + { + "name": "private", + "properties": { + "privateIPAddress": "10.0.0.20", + "privateIPAllocationMethod": "Static", + "subnet": { + "id": "" + } + } + }, + { + "name": "public", + "properties": { + "privateIPAllocationMethod": "Dynamic", + "privateLinkConfiguration": { + "id": "" + }, + "publicIPAddress": { + "id": "" + } + } + } + ] + }, + "frontendPorts": { + "value": [ + { + "name": "port443", + "properties": { + "port": 443 + } + }, + { + "name": "port4433", + "properties": { + "port": 4433 + } + }, + { + "name": "port80", + "properties": { + "port": 80 + } + }, + { + "name": "port8080", + "properties": { + "port": 8080 + } + } + ] + }, + "gatewayIPConfigurations": { + "value": [ + { + "name": "apw-ip-configuration", + "properties": { + "subnet": { + "id": "" + } + } + } + ] + }, + "httpListeners": { + "value": [ + { + "name": "public443", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "https", + "requireServerNameIndication": false, + "sslCertificate": { + "id": "" + } + } + }, + { + "name": "private4433", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "https", + "requireServerNameIndication": false, + "sslCertificate": { + "id": "" + } + } + }, + { + "name": "httpRedirect80", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "Http", + "requireServerNameIndication": false + } + }, + { + "name": "httpRedirect8080", + "properties": { + "frontendIPConfiguration": { + "id": "" + }, + "frontendPort": { + "id": "" + }, + "hostNames": [], + "protocol": "Http", + "requireServerNameIndication": false + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "public", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "Role": "DeploymentValidation" + } + } + ] + }, + "privateLinkConfigurations": { + "value": [ + { + "id": "", + "name": "pvtlink01", + "properties": { + "ipConfigurations": [ + { + "id": "", + "name": "privateLinkIpConfig1", + "properties": { + "primary": false, + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "" + } + } + } + ] + } + } + ] + }, + "probes": { + "value": [ + { + "name": "privateVmHttpSettingProbe", + "properties": { + "host": "10.0.0.4", + "interval": 60, + "match": { + "statusCodes": [ + "200", + "401" + ] + }, + "minServers": 3, + "path": "/", + "pickHostNameFromBackendHttpSettings": false, + "protocol": "Http", + "timeout": 15, + "unhealthyThreshold": 5 + } + } + ] + }, + "redirectConfigurations": { + "value": [ + { + "name": "httpRedirect80", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "" + } + ], + "targetListener": { + "id": "" + } + } + }, + { + "name": "httpRedirect8080", + "properties": { + "includePath": true, + "includeQueryString": true, + "redirectType": "Permanent", + "requestRoutingRules": [ + { + "id": "" + } + ], + "targetListener": { + "id": "" + } + } + } + ] + }, + "requestRoutingRules": { + "value": [ + { + "name": "public443-appServiceBackendHttpsSetting-appServiceBackendHttpsSetting", + "properties": { + "backendAddressPool": { + "id": "" + }, + "backendHttpSettings": { + "id": "" + }, + "httpListener": { + "id": "" + }, + "priority": 200, + "ruleType": "Basic" + } + }, + { + "name": "private4433-privateVmHttpSetting-privateVmHttpSetting", + "properties": { + "backendAddressPool": { + "id": "" + }, + "backendHttpSettings": { + "id": "" + }, + "httpListener": { + "id": "" + }, + "priority": 250, + "ruleType": "Basic" + } + }, + { + "name": "httpRedirect80-public443", + "properties": { + "httpListener": { + "id": "" + }, + "priority": 300, + "redirectConfiguration": { + "id": "" + }, + "ruleType": "Basic" + } + }, + { + "name": "httpRedirect8080-private4433", + "properties": { + "httpListener": { + "id": "" + }, + "priority": 350, + "redirectConfiguration": { + "id": "" + }, + "rewriteRuleSet": { + "id": "" + }, + "ruleType": "Basic" + } + } + ] + }, + "rewriteRuleSets": { + "value": [ + { + "id": "", + "name": "customRewrite", + "properties": { + "rewriteRules": [ + { + "actionSet": { + "requestHeaderConfigurations": [ + { + "headerName": "Content-Type", + "headerValue": "JSON" + }, + { + "headerName": "someheader" + } + ], + "responseHeaderConfigurations": [] + }, + "conditions": [], + "name": "NewRewrite", + "ruleSequence": 100 + } + ] + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "WAF_v2" + }, + "sslCertificates": { + "value": [ + { + "name": "az-apgw-x-001-ssl-certificate", + "properties": { + "keyVaultSecretId": "" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "webApplicationFirewallConfiguration": { + "value": { + "disabledRuleGroups": [ + { + "ruleGroupName": "Known-CVEs" + }, + { + "ruleGroupName": "REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION" + }, + { + "ruleGroupName": "REQUEST-941-APPLICATION-ATTACK-XSS" + } + ], + "enabled": true, + "exclusions": [ + { + "matchVariable": "RequestHeaderNames", + "selector": "hola", + "selectorMatchOperator": "StartsWith" + } + ], + "fileUploadLimitInMb": 100, + "firewallMode": "Detection", + "maxRequestBodySizeInKb": 128, + "requestBodyCheck": true, + "ruleSetType": "OWASP", + "ruleSetVersion": "3.0" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/application-security-group/README.md b/modules/network/application-security-group/README.md index 37e573fa66..362a0f108d 100644 --- a/modules/network/application-security-group/README.md +++ b/modules/network/application-security-group/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.application-security-group:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -114,6 +115,92 @@ module applicationSecurityGroup 'br:bicep/modules/network.application-security-g

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module applicationSecurityGroup 'br:bicep/modules/network.application-security-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nasgwaf' + params: { + // Required parameters + name: 'nasgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nasgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/azure-firewall/README.md b/modules/network/azure-firewall/README.md index 2f41e39161..1a29630003 100644 --- a/modules/network/azure-firewall/README.md +++ b/modules/network/azure-firewall/README.md @@ -34,6 +34,7 @@ The following section provides usage examples for the module, which were used to - [Hubcommon](#example-4-hubcommon) - [Hubmin](#example-5-hubmin) - [Using large parameter set](#example-6-using-large-parameter-set) +- [WAF-aligned](#example-7-waf-aligned) ### Example 1: _Addpip_ @@ -747,6 +748,308 @@ module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = {

+### Example 7: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module azureFirewall 'br:bicep/modules/network.azure-firewall:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nafwaf' + params: { + // Required parameters + name: 'nafwaf001' + // Non-required parameters + applicationRuleCollections: [ + { + name: 'allow-app-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + fqdnTags: [ + 'AppServiceEnvironment' + 'WindowsUpdate' + ] + name: 'allow-ase-tags' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + } + { + name: 'allow-ase-management' + protocols: [ + { + port: '80' + protocolType: 'HTTP' + } + { + port: '443' + protocolType: 'HTTPS' + } + ] + sourceAddresses: [ + '*' + ] + targetFqdns: [ + 'bing.com' + ] + } + ] + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleCollections: [ + { + name: 'allow-network-rules' + properties: { + action: { + type: 'allow' + } + priority: 100 + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationPorts: [ + '12000' + '123' + ] + name: 'allow-ntp' + protocols: [ + 'Any' + ] + sourceAddresses: [ + '*' + ] + } + ] + } + } + ] + publicIPResourceID: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vNetId: '' + zones: [ + '1' + '2' + '3' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nafwaf001" + }, + // Non-required parameters + "applicationRuleCollections": { + "value": [ + { + "name": "allow-app-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "fqdnTags": [ + "AppServiceEnvironment", + "WindowsUpdate" + ], + "name": "allow-ase-tags", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ] + }, + { + "name": "allow-ase-management", + "protocols": [ + { + "port": "80", + "protocolType": "HTTP" + }, + { + "port": "443", + "protocolType": "HTTPS" + } + ], + "sourceAddresses": [ + "*" + ], + "targetFqdns": [ + "bing.com" + ] + } + ] + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkRuleCollections": { + "value": [ + { + "name": "allow-network-rules", + "properties": { + "action": { + "type": "allow" + }, + "priority": 100, + "rules": [ + { + "destinationAddresses": [ + "*" + ], + "destinationPorts": [ + "12000", + "123" + ], + "name": "allow-ntp", + "protocols": [ + "Any" + ], + "sourceAddresses": [ + "*" + ] + } + ] + } + } + ] + }, + "publicIPResourceID": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vNetId": { + "value": "" + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/bastion-host/README.md b/modules/network/bastion-host/README.md index 06e8704806..5524340559 100644 --- a/modules/network/bastion-host/README.md +++ b/modules/network/bastion-host/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Custompip](#example-1-custompip) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Custompip_ @@ -351,6 +352,144 @@ module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module bastionHost 'br:bicep/modules/network.bastion-host:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nbhwaf' + params: { + // Required parameters + name: 'nbhwaf001' + vNetId: '' + // Non-required parameters + bastionSubnetPublicIpResourceId: '' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableCopyPaste: true + enableDefaultTelemetry: '' + enableFileCopy: false + enableIpConnect: false + enableShareableLink: false + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scaleUnits: 4 + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nbhwaf001" + }, + "vNetId": { + "value": "" + }, + // Non-required parameters + "bastionSubnetPublicIpResourceId": { + "value": "" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableCopyPaste": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableFileCopy": { + "value": false + }, + "enableIpConnect": { + "value": false + }, + "enableShareableLink": { + "value": false + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scaleUnits": { + "value": 4 + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/ddos-protection-plan/README.md b/modules/network/ddos-protection-plan/README.md index 1ccac70c5a..0a82054e08 100644 --- a/modules/network/ddos-protection-plan/README.md +++ b/modules/network/ddos-protection-plan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,92 @@ module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module ddosProtectionPlan 'br:bicep/modules/network.ddos-protection-plan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndppwaf' + params: { + // Required parameters + name: 'ndppwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndppwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-forwarding-ruleset/README.md b/modules/network/dns-forwarding-ruleset/README.md index 43d21c8605..7f80e40e75 100644 --- a/modules/network/dns-forwarding-ruleset/README.md +++ b/modules/network/dns-forwarding-ruleset/README.md @@ -32,6 +32,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -219,6 +220,136 @@ module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsForwardingRuleset 'br:bicep/modules/network.dns-forwarding-ruleset:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndfrswaf' + params: { + // Required parameters + dnsResolverOutboundEndpointResourceIds: [ + '' + ] + name: 'ndfrswaf001' + // Non-required parameters + enableDefaultTelemetry: '' + forwardingRules: [ + { + domainName: 'contoso.' + forwardingRuleState: 'Enabled' + name: 'rule1' + targetDnsServers: [ + { + ipAddress: '192.168.0.1' + port: '53' + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vNetLinks: [ + '' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "dnsResolverOutboundEndpointResourceIds": { + "value": [ + "" + ] + }, + "name": { + "value": "ndfrswaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "forwardingRules": { + "value": [ + { + "domainName": "contoso.", + "forwardingRuleState": "Enabled", + "name": "rule1", + "targetDnsServers": [ + { + "ipAddress": "192.168.0.1", + "port": "53" + } + ] + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vNetLinks": { + "value": [ + "" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-resolver/README.md b/modules/network/dns-resolver/README.md index 99f030c8b2..9dd23b73e9 100644 --- a/modules/network/dns-resolver/README.md +++ b/modules/network/dns-resolver/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.dns-resolver:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -124,6 +125,98 @@ module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsResolver 'br:bicep/modules/network.dns-resolver:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndrwaf' + params: { + // Required parameters + name: 'ndrwaf001' + virtualNetworkId: '' + // Non-required parameters + enableDefaultTelemetry: '' + inboundEndpoints: [ + { + name: 'az-pdnsin-x-001' + subnetId: '' + } + ] + outboundEndpoints: [ + { + name: 'az-pdnsout-x-001' + subnetId: '' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndrwaf001" + }, + "virtualNetworkId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "inboundEndpoints": { + "value": [ + { + "name": "az-pdnsin-x-001", + "subnetId": "" + } + ] + }, + "outboundEndpoints": { + "value": [ + { + "name": "az-pdnsout-x-001", + "subnetId": "" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/dns-zone/README.md b/modules/network/dns-zone/README.md index 23651a2aa3..003e5548ed 100644 --- a/modules/network/dns-zone/README.md +++ b/modules/network/dns-zone/README.md @@ -40,6 +40,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -489,6 +490,406 @@ module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module dnsZone 'br:bicep/modules/network.dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ndzwaf' + params: { + // Required parameters + name: 'ndzwaf001.com' + // Non-required parameters + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + { + name: 'CNAME_aliasRecordSet' + targetResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soaRecord: { + email: 'azuredns-hostmaster.microsoft.com' + expireTime: 2419200 + host: 'ns1-04.azure-dns.com.' + minimumTtl: 300 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ndzwaf001.com" + }, + // Non-required parameters + "a": { + "value": [ + { + "aRecords": [ + { + "ipv4Address": "10.240.4.4" + } + ], + "name": "A_10.240.4.4", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "aaaa": { + "value": [ + { + "aaaaRecords": [ + { + "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + ], + "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", + "ttl": 3600 + } + ] + }, + "cname": { + "value": [ + { + "cnameRecord": { + "cname": "test" + }, + "name": "CNAME_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + }, + { + "name": "CNAME_aliasRecordSet", + "targetResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "mx": { + "value": [ + { + "mxRecords": [ + { + "exchange": "contoso.com", + "preference": 100 + } + ], + "name": "MX_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "ptr": { + "value": [ + { + "name": "PTR_contoso", + "ptrRecords": [ + { + "ptrdname": "contoso.com" + } + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "soa": { + "value": [ + { + "name": "@", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "soaRecord": { + "email": "azuredns-hostmaster.microsoft.com", + "expireTime": 2419200, + "host": "ns1-04.azure-dns.com.", + "minimumTtl": 300, + "refreshTime": 3600, + "retryTime": 300, + "serialNumber": "1" + }, + "ttl": 3600 + } + ] + }, + "srv": { + "value": [ + { + "name": "SRV_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "srvRecords": [ + { + "port": 9332, + "priority": 0, + "target": "test.contoso.com", + "weight": 0 + } + ], + "ttl": 3600 + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "txt": { + "value": [ + { + "name": "TXT_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600, + "txtRecords": [ + { + "value": [ + "test" + ] + } + ] + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/express-route-circuit/README.md b/modules/network/express-route-circuit/README.md index 125ba3bbb9..1a35356326 100644 --- a/modules/network/express-route-circuit/README.md +++ b/modules/network/express-route-circuit/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -230,6 +231,146 @@ module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module expressRouteCircuit 'br:bicep/modules/network.express-route-circuit:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nercwaf' + params: { + // Required parameters + bandwidthInMbps: 50 + name: 'nercwaf001' + peeringLocation: 'Amsterdam' + serviceProviderName: 'Equinix' + // Non-required parameters + allowClassicOperations: true + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuFamily: 'MeteredData' + skuTier: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "bandwidthInMbps": { + "value": 50 + }, + "name": { + "value": "nercwaf001" + }, + "peeringLocation": { + "value": "Amsterdam" + }, + "serviceProviderName": { + "value": "Equinix" + }, + // Non-required parameters + "allowClassicOperations": { + "value": true + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuFamily": { + "value": "MeteredData" + }, + "skuTier": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/express-route-gateway/README.md b/modules/network/express-route-gateway/README.md index f396c96058..1804fe9a3f 100644 --- a/modules/network/express-route-gateway/README.md +++ b/modules/network/express-route-gateway/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -177,6 +178,102 @@ module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module expressRouteGateway 'br:bicep/modules/network.express-route-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nergwaf' + params: { + // Required parameters + name: 'nergwaf001' + virtualHubId: '' + // Non-required parameters + autoScaleConfigurationBoundsMax: 3 + autoScaleConfigurationBoundsMin: 2 + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + hello: 'world' + 'hidden-title': 'This is visible in the resource name' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nergwaf001" + }, + "virtualHubId": { + "value": "" + }, + // Non-required parameters + "autoScaleConfigurationBoundsMax": { + "value": 3 + }, + "autoScaleConfigurationBoundsMin": { + "value": 2 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hello": "world", + "hidden-title": "This is visible in the resource name" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/firewall-policy/README.md b/modules/network/firewall-policy/README.md index 1cf5307503..c2a13a1d20 100644 --- a/modules/network/firewall-policy/README.md +++ b/modules/network/firewall-policy/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -222,6 +223,152 @@ module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module firewallPolicy 'br:bicep/modules/network.firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nfpwaf' + params: { + // Required parameters + name: 'nfpwaf001' + // Non-required parameters + allowSqlRedirect: true + autoLearnPrivateRanges: 'Enabled' + enableDefaultTelemetry: '' + ruleCollectionGroups: [ + { + name: 'rule-001' + priority: 5000 + ruleCollections: [ + { + action: { + type: 'Allow' + } + name: 'collection002' + priority: 5555 + ruleCollectionType: 'FirewallPolicyFilterRuleCollection' + rules: [ + { + destinationAddresses: [ + '*' + ] + destinationFqdns: [] + destinationIpGroups: [] + destinationPorts: [ + '80' + ] + ipProtocols: [ + 'TCP' + 'UDP' + ] + name: 'rule002' + ruleType: 'NetworkRule' + sourceAddresses: [ + '*' + ] + sourceIpGroups: [] + } + ] + } + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nfpwaf001" + }, + // Non-required parameters + "allowSqlRedirect": { + "value": true + }, + "autoLearnPrivateRanges": { + "value": "Enabled" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ruleCollectionGroups": { + "value": [ + { + "name": "rule-001", + "priority": 5000, + "ruleCollections": [ + { + "action": { + "type": "Allow" + }, + "name": "collection002", + "priority": 5555, + "ruleCollectionType": "FirewallPolicyFilterRuleCollection", + "rules": [ + { + "destinationAddresses": [ + "*" + ], + "destinationFqdns": [], + "destinationIpGroups": [], + "destinationPorts": [ + "80" + ], + "ipProtocols": [ + "TCP", + "UDP" + ], + "name": "rule002", + "ruleType": "NetworkRule", + "sourceAddresses": [ + "*" + ], + "sourceIpGroups": [] + } + ] + } + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/front-door-web-application-firewall-policy/README.md b/modules/network/front-door-web-application-firewall-policy/README.md index c12d09f3bf..45170239e9 100644 --- a/modules/network/front-door-web-application-firewall-policy/README.md +++ b/modules/network/front-door-web-application-firewall-policy/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -297,6 +298,226 @@ module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-doo

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module frontDoorWebApplicationFirewallPolicy 'br:bicep/modules/network.front-door-web-application-firewall-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nagwafpwaf' + params: { + // Required parameters + name: 'nagwafpwaf001' + // Non-required parameters + customRules: { + rules: [ + { + action: 'Block' + enabledState: 'Enabled' + matchConditions: [ + { + matchValue: [ + 'CH' + ] + matchVariable: 'RemoteAddr' + negateCondition: false + operator: 'GeoMatch' + selector: '' + transforms: [] + } + { + matchValue: [ + 'windows' + ] + matchVariable: 'RequestHeader' + negateCondition: false + operator: 'Contains' + selector: 'UserAgent' + transforms: [] + } + { + matchValue: [ + '?>' + '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedRules: { + managedRuleSets: [ + { + ruleSetType: 'Microsoft_BotManagerRuleSet' + ruleSetVersion: '1.0' + } + ] + } + policySettings: { + customBlockResponseBody: 'PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==' + customBlockResponseStatusCode: 200 + mode: 'Prevention' + redirectUrl: 'http://www.bing.com' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Premium_AzureFrontDoor' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nagwafpwaf001" + }, + // Non-required parameters + "customRules": { + "value": { + "rules": [ + { + "action": "Block", + "enabledState": "Enabled", + "matchConditions": [ + { + "matchValue": [ + "CH" + ], + "matchVariable": "RemoteAddr", + "negateCondition": false, + "operator": "GeoMatch", + "selector": "", + "transforms": [] + }, + { + "matchValue": [ + "windows" + ], + "matchVariable": "RequestHeader", + "negateCondition": false, + "operator": "Contains", + "selector": "UserAgent", + "transforms": [] + }, + { + "matchValue": [ + "?>", + "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedRules": { + "value": { + "managedRuleSets": [ + { + "ruleSetType": "Microsoft_BotManagerRuleSet", + "ruleSetVersion": "1.0" + } + ] + } + }, + "policySettings": { + "value": { + "customBlockResponseBody": "PGh0bWw+CjxoZWFkZXI+PHRpdGxlPkhlbGxvPC90aXRsZT48L2hlYWRlcj4KPGJvZHk+CkhlbGxvIHdvcmxkCjwvYm9keT4KPC9odG1sPg==", + "customBlockResponseStatusCode": 200, + "mode": "Prevention", + "redirectUrl": "http://www.bing.com" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Premium_AzureFrontDoor" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/front-door/README.md b/modules/network/front-door/README.md index 02f47b80bd..75bd27f5d6 100644 --- a/modules/network/front-door/README.md +++ b/modules/network/front-door/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -524,6 +525,284 @@ module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module frontDoor 'br:bicep/modules/network.front-door:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nfdwaf' + params: { + // Required parameters + backendPools: [ + { + name: 'backendPool' + properties: { + backends: [ + { + address: 'biceptest.local' + backendHostHeader: 'backendAddress' + enabledState: 'Enabled' + httpPort: 80 + httpsPort: 443 + priority: 1 + privateLinkAlias: '' + privateLinkApprovalMessage: '' + privateLinkLocation: '' + privateLinkResourceId: '' + weight: 50 + } + ] + HealthProbeSettings: { + id: '' + } + LoadBalancingSettings: { + id: '' + } + } + } + ] + frontendEndpoints: [ + { + name: 'frontEnd' + properties: { + hostName: '' + sessionAffinityEnabledState: 'Disabled' + sessionAffinityTtlSeconds: 60 + } + } + ] + healthProbeSettings: [ + { + name: 'heathProbe' + properties: { + enabledState: '' + healthProbeMethod: '' + intervalInSeconds: 60 + path: '/' + protocol: 'Https' + } + } + ] + loadBalancingSettings: [ + { + name: 'loadBalancer' + properties: { + additionalLatencyMilliseconds: 0 + sampleSize: 50 + successfulSamplesRequired: 1 + } + } + ] + name: '' + routingRules: [ + { + name: 'routingRule' + properties: { + acceptedProtocols: [ + 'Http' + 'Https' + ] + enabledState: 'Enabled' + frontendEndpoints: [ + { + id: '' + } + ] + patternsToMatch: [ + '/*' + ] + routeConfiguration: { + '@odata.type': '#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration' + backendPool: { + id: '' + } + forwardingProtocol: 'MatchRequest' + } + } + } + ] + // Non-required parameters + enableDefaultTelemetry: '' + enforceCertificateNameCheck: 'Disabled' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sendRecvTimeoutSeconds: 10 + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "backendPools": { + "value": [ + { + "name": "backendPool", + "properties": { + "backends": [ + { + "address": "biceptest.local", + "backendHostHeader": "backendAddress", + "enabledState": "Enabled", + "httpPort": 80, + "httpsPort": 443, + "priority": 1, + "privateLinkAlias": "", + "privateLinkApprovalMessage": "", + "privateLinkLocation": "", + "privateLinkResourceId": "", + "weight": 50 + } + ], + "HealthProbeSettings": { + "id": "" + }, + "LoadBalancingSettings": { + "id": "" + } + } + } + ] + }, + "frontendEndpoints": { + "value": [ + { + "name": "frontEnd", + "properties": { + "hostName": "", + "sessionAffinityEnabledState": "Disabled", + "sessionAffinityTtlSeconds": 60 + } + } + ] + }, + "healthProbeSettings": { + "value": [ + { + "name": "heathProbe", + "properties": { + "enabledState": "", + "healthProbeMethod": "", + "intervalInSeconds": 60, + "path": "/", + "protocol": "Https" + } + } + ] + }, + "loadBalancingSettings": { + "value": [ + { + "name": "loadBalancer", + "properties": { + "additionalLatencyMilliseconds": 0, + "sampleSize": 50, + "successfulSamplesRequired": 1 + } + } + ] + }, + "name": { + "value": "" + }, + "routingRules": { + "value": [ + { + "name": "routingRule", + "properties": { + "acceptedProtocols": [ + "Http", + "Https" + ], + "enabledState": "Enabled", + "frontendEndpoints": [ + { + "id": "" + } + ], + "patternsToMatch": [ + "/*" + ], + "routeConfiguration": { + "@odata.type": "#Microsoft.Azure.FrontDoor.Models.FrontdoorForwardingConfiguration", + "backendPool": { + "id": "" + }, + "forwardingProtocol": "MatchRequest" + } + } + } + ] + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "enforceCertificateNameCheck": { + "value": "Disabled" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sendRecvTimeoutSeconds": { + "value": 10 + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/ip-group/README.md b/modules/network/ip-group/README.md index 36b3fe51fa..d9706dfeb2 100644 --- a/modules/network/ip-group/README.md +++ b/modules/network/ip-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -173,6 +174,102 @@ module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module ipGroup 'br:bicep/modules/network.ip-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nigwaf' + params: { + // Required parameters + name: 'nigwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + ipAddresses: [ + '10.0.0.1' + '10.0.0.2' + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nigwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "ipAddresses": { + "value": [ + "10.0.0.1", + "10.0.0.2" + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/load-balancer/README.md b/modules/network/load-balancer/README.md index b747882d68..cb030c747e 100644 --- a/modules/network/load-balancer/README.md +++ b/modules/network/load-balancer/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Internal](#example-2-internal) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -609,6 +610,294 @@ module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module loadBalancer 'br:bicep/modules/network.load-balancer:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlbwaf' + params: { + // Required parameters + frontendIPConfigurations: [ + { + name: 'publicIPConfig1' + publicIPAddressId: '' + } + ] + name: 'nlbwaf001' + // Non-required parameters + backendAddressPools: [ + { + name: 'backendAddressPool1' + } + { + name: 'backendAddressPool2' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + inboundNatRules: [ + { + backendPort: 443 + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 443 + idleTimeoutInMinutes: 4 + name: 'inboundNatRule1' + protocol: 'Tcp' + } + { + backendPort: 3389 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 3389 + name: 'inboundNatRule2' + } + ] + loadBalancingRules: [ + { + backendAddressPoolName: 'backendAddressPool1' + backendPort: 80 + disableOutboundSnat: true + enableFloatingIP: false + enableTcpReset: false + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 80 + idleTimeoutInMinutes: 5 + loadDistribution: 'Default' + name: 'publicIPLBRule1' + probeName: 'probe1' + protocol: 'Tcp' + } + { + backendAddressPoolName: 'backendAddressPool2' + backendPort: 8080 + frontendIPConfigurationName: 'publicIPConfig1' + frontendPort: 8080 + loadDistribution: 'Default' + name: 'publicIPLBRule2' + probeName: 'probe2' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + outboundRules: [ + { + allocatedOutboundPorts: 63984 + backendAddressPoolName: 'backendAddressPool1' + frontendIPConfigurationName: 'publicIPConfig1' + name: 'outboundRule1' + } + ] + probes: [ + { + intervalInSeconds: 10 + name: 'probe1' + numberOfProbes: 5 + port: 80 + protocol: 'Tcp' + } + { + name: 'probe2' + port: 443 + protocol: 'Https' + requestPath: '/' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "frontendIPConfigurations": { + "value": [ + { + "name": "publicIPConfig1", + "publicIPAddressId": "" + } + ] + }, + "name": { + "value": "nlbwaf001" + }, + // Non-required parameters + "backendAddressPools": { + "value": [ + { + "name": "backendAddressPool1" + }, + { + "name": "backendAddressPool2" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "inboundNatRules": { + "value": [ + { + "backendPort": 443, + "enableFloatingIP": false, + "enableTcpReset": false, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 443, + "idleTimeoutInMinutes": 4, + "name": "inboundNatRule1", + "protocol": "Tcp" + }, + { + "backendPort": 3389, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 3389, + "name": "inboundNatRule2" + } + ] + }, + "loadBalancingRules": { + "value": [ + { + "backendAddressPoolName": "backendAddressPool1", + "backendPort": 80, + "disableOutboundSnat": true, + "enableFloatingIP": false, + "enableTcpReset": false, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 80, + "idleTimeoutInMinutes": 5, + "loadDistribution": "Default", + "name": "publicIPLBRule1", + "probeName": "probe1", + "protocol": "Tcp" + }, + { + "backendAddressPoolName": "backendAddressPool2", + "backendPort": 8080, + "frontendIPConfigurationName": "publicIPConfig1", + "frontendPort": 8080, + "loadDistribution": "Default", + "name": "publicIPLBRule2", + "probeName": "probe2" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "outboundRules": { + "value": [ + { + "allocatedOutboundPorts": 63984, + "backendAddressPoolName": "backendAddressPool1", + "frontendIPConfigurationName": "publicIPConfig1", + "name": "outboundRule1" + } + ] + }, + "probes": { + "value": [ + { + "intervalInSeconds": 10, + "name": "probe1", + "numberOfProbes": 5, + "port": 80, + "protocol": "Tcp" + }, + { + "name": "probe2", + "port": 443, + "protocol": "Https", + "requestPath": "/" + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/local-network-gateway/README.md b/modules/network/local-network-gateway/README.md index cc2167d281..2b5cac74a2 100644 --- a/modules/network/local-network-gateway/README.md +++ b/modules/network/local-network-gateway/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -195,6 +196,112 @@ module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module localNetworkGateway 'br:bicep/modules/network.local-network-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nlngwaf' + params: { + // Required parameters + localAddressPrefixes: [ + '192.168.1.0/24' + ] + localGatewayPublicIpAddress: '8.8.8.8' + name: 'nlngwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + localAsn: '65123' + localBgpPeeringAddress: '192.168.1.5' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "localAddressPrefixes": { + "value": [ + "192.168.1.0/24" + ] + }, + "localGatewayPublicIpAddress": { + "value": "8.8.8.8" + }, + "name": { + "value": "nlngwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "localAsn": { + "value": "65123" + }, + "localBgpPeeringAddress": { + "value": "192.168.1.5" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/nat-gateway/README.md b/modules/network/nat-gateway/README.md index d848af2b74..b764e57c4d 100644 --- a/modules/network/nat-gateway/README.md +++ b/modules/network/nat-gateway/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-1-using-large-parameter-set) - [Combine a generated and provided Public IP Prefix](#example-2-combine-a-generated-and-provided-public-ip-prefix) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using large parameter set_ @@ -312,6 +313,158 @@ module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module natGateway 'br:bicep/modules/network.nat-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nngwaf' + params: { + // Required parameters + name: 'nngwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAddressObjects: [ + { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + name: 'nngwaf001-pip' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuTier: 'Regional' + zones: [ + '1' + '2' + '3' + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nngwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicIPAddressObjects": { + "value": [ + { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "name": "nngwaf001-pip", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "skuTier": "Regional", + "zones": [ + "1", + "2", + "3" + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-interface/README.md b/modules/network/network-interface/README.md index 95f9eb34e1..0efe82db56 100644 --- a/modules/network/network-interface/README.md +++ b/modules/network/network-interface/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -260,6 +261,172 @@ module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkInterface 'br:bicep/modules/network.network-interface:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nniwaf' + params: { + // Required parameters + ipConfigurations: [ + { + applicationSecurityGroups: [ + { + id: '' + } + ] + loadBalancerBackendAddressPools: [ + { + id: '' + } + ] + name: 'ipconfig01' + subnetResourceId: '' + } + { + applicationSecurityGroups: [ + { + id: '' + } + ] + subnetResourceId: '' + } + ] + name: 'nniwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "ipConfigurations": { + "value": [ + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "loadBalancerBackendAddressPools": [ + { + "id": "" + } + ], + "name": "ipconfig01", + "subnetResourceId": "" + }, + { + "applicationSecurityGroups": [ + { + "id": "" + } + ], + "subnetResourceId": "" + } + ] + }, + "name": { + "value": "nniwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-manager/README.md b/modules/network/network-manager/README.md index 4870ad088b..896d0bd79c 100644 --- a/modules/network/network-manager/README.md +++ b/modules/network/network-manager/README.md @@ -35,6 +35,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/network.network-manager:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -486,6 +487,456 @@ module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkManager 'br:bicep/modules/network.network-manager:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnmwaf' + params: { + // Required parameters + name: '' + networkManagerScopeAccesses: [ + 'Connectivity' + 'SecurityAdmin' + ] + networkManagerScopes: { + subscriptions: [ + '' + ] + } + // Non-required parameters + connectivityConfigurations: [ + { + appliesToGroups: [ + { + groupConnectivity: 'None' + isGlobal: 'False' + networkGroupId: '' + useHubGateway: 'False' + } + ] + connectivityTopology: 'HubAndSpoke' + deleteExistingPeering: 'True' + description: 'hubSpokeConnectivity description' + hubs: [ + { + resourceId: '' + resourceType: 'Microsoft.Network/virtualNetworks' + } + ] + isGlobal: 'True' + name: 'hubSpokeConnectivity' + } + { + appliesToGroups: [ + { + groupConnectivity: 'None' + isGlobal: 'False' + networkGroupId: '' + useHubGateway: 'False' + } + ] + connectivityTopology: 'Mesh' + deleteExistingPeering: 'True' + description: 'MeshConnectivity description' + isGlobal: 'True' + name: 'MeshConnectivity' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkGroups: [ + { + description: 'network-group-spokes description' + name: 'network-group-spokes' + staticMembers: [ + { + name: 'virtualNetworkSpoke1' + resourceId: '' + } + { + name: 'virtualNetworkSpoke2' + resourceId: '' + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + scopeConnections: [ + { + description: 'description of the scope connection' + name: 'scope-connection-test' + resourceId: '' + tenantid: '' + } + ] + securityAdminConfigurations: [ + { + applyOnNetworkIntentPolicyBasedServices: [ + 'AllowRulesOnly' + ] + description: 'description of the security admin config' + name: 'test-security-admin-config' + ruleCollections: [ + { + appliesToGroups: [ + { + networkGroupId: '' + } + ] + description: 'test-rule-collection-description' + name: 'test-rule-collection-1' + rules: [ + { + access: 'Allow' + description: 'test-inbound-allow-rule-1-description' + direction: 'Inbound' + name: 'test-inbound-allow-rule-1' + priority: 150 + protocol: 'Tcp' + } + { + access: 'Deny' + description: 'test-outbound-deny-rule-2-description' + direction: 'Outbound' + name: 'test-outbound-deny-rule-2' + priority: 200 + protocol: 'Tcp' + sourcePortRanges: [ + '442-445' + '80' + ] + sources: [ + { + addressPrefix: 'AppService.WestEurope' + addressPrefixType: 'ServiceTag' + } + ] + } + ] + } + { + appliesToGroups: [ + { + networkGroupId: '' + } + ] + description: 'test-rule-collection-description' + name: 'test-rule-collection-2' + rules: [ + { + access: 'Allow' + description: 'test-inbound-allow-rule-3-description' + destinationPortRanges: [ + '442-445' + '80' + ] + destinations: [ + { + addressPrefix: '192.168.20.20' + addressPrefixType: 'IPPrefix' + } + ] + direction: 'Inbound' + name: 'test-inbound-allow-rule-3' + priority: 250 + protocol: 'Tcp' + } + { + access: 'Allow' + description: 'test-inbound-allow-rule-4-description' + destinations: [ + { + addressPrefix: '172.16.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '172.16.1.0/24' + addressPrefixType: 'IPPrefix' + } + ] + direction: 'Inbound' + name: 'test-inbound-allow-rule-4' + priority: 260 + protocol: 'Tcp' + sources: [ + { + addressPrefix: '10.0.0.0/24' + addressPrefixType: 'IPPrefix' + } + { + addressPrefix: '100.100.100.100' + addressPrefixType: 'IPPrefix' + } + ] + } + ] + } + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "networkManagerScopeAccesses": { + "value": [ + "Connectivity", + "SecurityAdmin" + ] + }, + "networkManagerScopes": { + "value": { + "subscriptions": [ + "" + ] + } + }, + // Non-required parameters + "connectivityConfigurations": { + "value": [ + { + "appliesToGroups": [ + { + "groupConnectivity": "None", + "isGlobal": "False", + "networkGroupId": "", + "useHubGateway": "False" + } + ], + "connectivityTopology": "HubAndSpoke", + "deleteExistingPeering": "True", + "description": "hubSpokeConnectivity description", + "hubs": [ + { + "resourceId": "", + "resourceType": "Microsoft.Network/virtualNetworks" + } + ], + "isGlobal": "True", + "name": "hubSpokeConnectivity" + }, + { + "appliesToGroups": [ + { + "groupConnectivity": "None", + "isGlobal": "False", + "networkGroupId": "", + "useHubGateway": "False" + } + ], + "connectivityTopology": "Mesh", + "deleteExistingPeering": "True", + "description": "MeshConnectivity description", + "isGlobal": "True", + "name": "MeshConnectivity" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkGroups": { + "value": [ + { + "description": "network-group-spokes description", + "name": "network-group-spokes", + "staticMembers": [ + { + "name": "virtualNetworkSpoke1", + "resourceId": "" + }, + { + "name": "virtualNetworkSpoke2", + "resourceId": "" + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "scopeConnections": { + "value": [ + { + "description": "description of the scope connection", + "name": "scope-connection-test", + "resourceId": "", + "tenantid": "" + } + ] + }, + "securityAdminConfigurations": { + "value": [ + { + "applyOnNetworkIntentPolicyBasedServices": [ + "AllowRulesOnly" + ], + "description": "description of the security admin config", + "name": "test-security-admin-config", + "ruleCollections": [ + { + "appliesToGroups": [ + { + "networkGroupId": "" + } + ], + "description": "test-rule-collection-description", + "name": "test-rule-collection-1", + "rules": [ + { + "access": "Allow", + "description": "test-inbound-allow-rule-1-description", + "direction": "Inbound", + "name": "test-inbound-allow-rule-1", + "priority": 150, + "protocol": "Tcp" + }, + { + "access": "Deny", + "description": "test-outbound-deny-rule-2-description", + "direction": "Outbound", + "name": "test-outbound-deny-rule-2", + "priority": 200, + "protocol": "Tcp", + "sourcePortRanges": [ + "442-445", + "80" + ], + "sources": [ + { + "addressPrefix": "AppService.WestEurope", + "addressPrefixType": "ServiceTag" + } + ] + } + ] + }, + { + "appliesToGroups": [ + { + "networkGroupId": "" + } + ], + "description": "test-rule-collection-description", + "name": "test-rule-collection-2", + "rules": [ + { + "access": "Allow", + "description": "test-inbound-allow-rule-3-description", + "destinationPortRanges": [ + "442-445", + "80" + ], + "destinations": [ + { + "addressPrefix": "192.168.20.20", + "addressPrefixType": "IPPrefix" + } + ], + "direction": "Inbound", + "name": "test-inbound-allow-rule-3", + "priority": 250, + "protocol": "Tcp" + }, + { + "access": "Allow", + "description": "test-inbound-allow-rule-4-description", + "destinations": [ + { + "addressPrefix": "172.16.0.0/24", + "addressPrefixType": "IPPrefix" + }, + { + "addressPrefix": "172.16.1.0/24", + "addressPrefixType": "IPPrefix" + } + ], + "direction": "Inbound", + "name": "test-inbound-allow-rule-4", + "priority": 260, + "protocol": "Tcp", + "sources": [ + { + "addressPrefix": "10.0.0.0/24", + "addressPrefixType": "IPPrefix" + }, + { + "addressPrefix": "100.100.100.100", + "addressPrefixType": "IPPrefix" + } + ] + } + ] + } + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-security-group/README.md b/modules/network/network-security-group/README.md index f5802ad688..416644df15 100644 --- a/modules/network/network-security-group/README.md +++ b/modules/network/network-security-group/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -315,6 +316,242 @@ module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkSecurityGroup 'br:bicep/modules/network.network-security-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nnsgwaf' + params: { + // Required parameters + name: 'nnsgwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityRules: [ + { + name: 'Specific' + properties: { + access: 'Allow' + description: 'Tests specific IPs and ports' + destinationAddressPrefix: '*' + destinationPortRange: '8080' + direction: 'Inbound' + priority: 100 + protocol: '*' + sourceAddressPrefix: '*' + sourcePortRange: '*' + } + } + { + name: 'Ranges' + properties: { + access: 'Allow' + description: 'Tests Ranges' + destinationAddressPrefixes: [ + '10.2.0.0/16' + '10.3.0.0/16' + ] + destinationPortRanges: [ + '90' + '91' + ] + direction: 'Inbound' + priority: 101 + protocol: '*' + sourceAddressPrefixes: [ + '10.0.0.0/16' + '10.1.0.0/16' + ] + sourcePortRanges: [ + '80' + '81' + ] + } + } + { + name: 'Port_8082' + properties: { + access: 'Allow' + description: 'Allow inbound access on TCP 8082' + destinationApplicationSecurityGroups: [ + { + id: '' + } + ] + destinationPortRange: '8082' + direction: 'Inbound' + priority: 102 + protocol: '*' + sourceApplicationSecurityGroups: [ + { + id: '' + } + ] + sourcePortRange: '*' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nnsgwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityRules": { + "value": [ + { + "name": "Specific", + "properties": { + "access": "Allow", + "description": "Tests specific IPs and ports", + "destinationAddressPrefix": "*", + "destinationPortRange": "8080", + "direction": "Inbound", + "priority": 100, + "protocol": "*", + "sourceAddressPrefix": "*", + "sourcePortRange": "*" + } + }, + { + "name": "Ranges", + "properties": { + "access": "Allow", + "description": "Tests Ranges", + "destinationAddressPrefixes": [ + "10.2.0.0/16", + "10.3.0.0/16" + ], + "destinationPortRanges": [ + "90", + "91" + ], + "direction": "Inbound", + "priority": 101, + "protocol": "*", + "sourceAddressPrefixes": [ + "10.0.0.0/16", + "10.1.0.0/16" + ], + "sourcePortRanges": [ + "80", + "81" + ] + } + }, + { + "name": "Port_8082", + "properties": { + "access": "Allow", + "description": "Allow inbound access on TCP 8082", + "destinationApplicationSecurityGroups": [ + { + "id": "" + } + ], + "destinationPortRange": "8082", + "direction": "Inbound", + "priority": 102, + "protocol": "*", + "sourceApplicationSecurityGroups": [ + { + "id": "" + } + ], + "sourcePortRange": "*" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/network-watcher/README.md b/modules/network/network-watcher/README.md index ede8d1e3a8..a9c59a060f 100644 --- a/modules/network/network-watcher/README.md +++ b/modules/network/network-watcher/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -293,6 +294,224 @@ module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module networkWatcher 'br:bicep/modules/network.network-watcher:1.0.0' = { + name: '${uniqueString(deployment().name, testLocation)}-test-nnwwaf' + params: { + connectionMonitors: [ + { + endpoints: [ + { + name: '' + resourceId: '' + type: 'AzureVM' + } + { + address: 'www.bing.com' + name: 'Bing' + type: 'ExternalAddress' + } + ] + name: 'nnwwaf-cm-001' + testConfigurations: [ + { + httpConfiguration: { + method: 'Get' + port: 80 + preferHTTPS: false + requestHeaders: [] + validStatusCodeRanges: [ + '200' + ] + } + name: 'HTTP Bing Test' + protocol: 'Http' + successThreshold: { + checksFailedPercent: 5 + roundTripTimeMs: 100 + } + testFrequencySec: 30 + } + ] + testGroups: [ + { + destinations: [ + 'Bing' + ] + disable: false + name: 'test-http-Bing' + sources: [ + 'subnet-001(${resourceGroup.name})' + ] + testConfigurations: [ + 'HTTP Bing Test' + ] + } + ] + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + flowLogs: [ + { + enabled: false + storageId: '' + targetResourceId: '' + } + { + formatVersion: 1 + name: 'nnwwaf-fl-001' + retentionInDays: 8 + storageId: '' + targetResourceId: '' + trafficAnalyticsInterval: 10 + workspaceResourceId: '' + } + ] + location: '' + name: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "connectionMonitors": { + "value": [ + { + "endpoints": [ + { + "name": "", + "resourceId": "", + "type": "AzureVM" + }, + { + "address": "www.bing.com", + "name": "Bing", + "type": "ExternalAddress" + } + ], + "name": "nnwwaf-cm-001", + "testConfigurations": [ + { + "httpConfiguration": { + "method": "Get", + "port": 80, + "preferHTTPS": false, + "requestHeaders": [], + "validStatusCodeRanges": [ + "200" + ] + }, + "name": "HTTP Bing Test", + "protocol": "Http", + "successThreshold": { + "checksFailedPercent": 5, + "roundTripTimeMs": 100 + }, + "testFrequencySec": 30 + } + ], + "testGroups": [ + { + "destinations": [ + "Bing" + ], + "disable": false, + "name": "test-http-Bing", + "sources": [ + "subnet-001(${resourceGroup.name})" + ], + "testConfigurations": [ + "HTTP Bing Test" + ] + } + ], + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "flowLogs": { + "value": [ + { + "enabled": false, + "storageId": "", + "targetResourceId": "" + }, + { + "formatVersion": 1, + "name": "nnwwaf-fl-001", + "retentionInDays": 8, + "storageId": "", + "targetResourceId": "", + "trafficAnalyticsInterval": 10, + "workspaceResourceId": "" + } + ] + }, + "location": { + "value": "" + }, + "name": { + "value": "" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-dns-zone/README.md b/modules/network/private-dns-zone/README.md index ceb0935638..714eea7f96 100644 --- a/modules/network/private-dns-zone/README.md +++ b/modules/network/private-dns-zone/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -494,6 +495,412 @@ module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateDnsZone 'br:bicep/modules/network.private-dns-zone:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npdzwaf' + params: { + // Required parameters + name: 'npdzwaf001.com' + // Non-required parameters + a: [ + { + aRecords: [ + { + ipv4Address: '10.240.4.4' + } + ] + name: 'A_10.240.4.4' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + aaaa: [ + { + aaaaRecords: [ + { + ipv6Address: '2001:0db8:85a3:0000:0000:8a2e:0370:7334' + } + ] + name: 'AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334' + ttl: 3600 + } + ] + cname: [ + { + cnameRecord: { + cname: 'test' + } + name: 'CNAME_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + mx: [ + { + mxRecords: [ + { + exchange: 'contoso.com' + preference: 100 + } + ] + name: 'MX_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + ptr: [ + { + name: 'PTR_contoso' + ptrRecords: [ + { + ptrdname: 'contoso.com' + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soa: [ + { + name: '@' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + soaRecord: { + email: 'azureprivatedns-host.microsoft.com' + expireTime: 2419200 + host: 'azureprivatedns.net' + minimumTtl: 10 + refreshTime: 3600 + retryTime: 300 + serialNumber: '1' + } + ttl: 3600 + } + ] + srv: [ + { + name: 'SRV_contoso' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + srvRecords: [ + { + port: 9332 + priority: 0 + target: 'test.contoso.com' + weight: 0 + } + ] + ttl: 3600 + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + txt: [ + { + name: 'TXT_test' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + ttl: 3600 + txtRecords: [ + { + value: [ + 'test' + ] + } + ] + } + ] + virtualNetworkLinks: [ + { + registrationEnabled: true + virtualNetworkResourceId: '' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npdzwaf001.com" + }, + // Non-required parameters + "a": { + "value": [ + { + "aRecords": [ + { + "ipv4Address": "10.240.4.4" + } + ], + "name": "A_10.240.4.4", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "aaaa": { + "value": [ + { + "aaaaRecords": [ + { + "ipv6Address": "2001:0db8:85a3:0000:0000:8a2e:0370:7334" + } + ], + "name": "AAAA_2001_0db8_85a3_0000_0000_8a2e_0370_7334", + "ttl": 3600 + } + ] + }, + "cname": { + "value": [ + { + "cnameRecord": { + "cname": "test" + }, + "name": "CNAME_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "mx": { + "value": [ + { + "mxRecords": [ + { + "exchange": "contoso.com", + "preference": 100 + } + ], + "name": "MX_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "ptr": { + "value": [ + { + "name": "PTR_contoso", + "ptrRecords": [ + { + "ptrdname": "contoso.com" + } + ], + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600 + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "soa": { + "value": [ + { + "name": "@", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "soaRecord": { + "email": "azureprivatedns-host.microsoft.com", + "expireTime": 2419200, + "host": "azureprivatedns.net", + "minimumTtl": 10, + "refreshTime": 3600, + "retryTime": 300, + "serialNumber": "1" + }, + "ttl": 3600 + } + ] + }, + "srv": { + "value": [ + { + "name": "SRV_contoso", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "srvRecords": [ + { + "port": 9332, + "priority": 0, + "target": "test.contoso.com", + "weight": 0 + } + ], + "ttl": 3600 + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "txt": { + "value": [ + { + "name": "TXT_test", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "ttl": 3600, + "txtRecords": [ + { + "value": [ + "test" + ] + } + ] + } + ] + }, + "virtualNetworkLinks": { + "value": [ + { + "registrationEnabled": true, + "virtualNetworkResourceId": "" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-endpoint/README.md b/modules/network/private-endpoint/README.md index e23c6bb6b9..866ff9fecc 100644 --- a/modules/network/private-endpoint/README.md +++ b/modules/network/private-endpoint/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -258,6 +259,168 @@ module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateEndpoint 'br:bicep/modules/network.private-endpoint:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npewaf' + params: { + // Required parameters + groupIds: [ + 'vault' + ] + name: 'npewaf001' + serviceResourceId: '' + subnetResourceId: '' + // Non-required parameters + applicationSecurityGroupResourceIds: [ + '' + ] + customDnsConfigs: [ + { + fqdn: 'abc.keyvault.com' + ipAddresses: [ + '10.0.0.10' + ] + } + ] + customNetworkInterfaceName: 'npewaf001nic' + enableDefaultTelemetry: '' + ipConfigurations: [ + { + name: 'myIPconfig' + properties: { + groupId: 'vault' + memberName: 'default' + privateIPAddress: '10.0.0.10' + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateDnsZoneResourceIds: [ + '' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "groupIds": { + "value": [ + "vault" + ] + }, + "name": { + "value": "npewaf001" + }, + "serviceResourceId": { + "value": "" + }, + "subnetResourceId": { + "value": "" + }, + // Non-required parameters + "applicationSecurityGroupResourceIds": { + "value": [ + "" + ] + }, + "customDnsConfigs": { + "value": [ + { + "fqdn": "abc.keyvault.com", + "ipAddresses": [ + "10.0.0.10" + ] + } + ] + }, + "customNetworkInterfaceName": { + "value": "npewaf001nic" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "ipConfigurations": { + "value": [ + { + "name": "myIPconfig", + "properties": { + "groupId": "vault", + "memberName": "default", + "privateIPAddress": "10.0.0.10" + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateDnsZoneResourceIds": { + "value": [ + "" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/private-link-service/README.md b/modules/network/private-link-service/README.md index 45f9b300e1..a2ba040a35 100644 --- a/modules/network/private-link-service/README.md +++ b/modules/network/private-link-service/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -274,6 +275,168 @@ module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0'

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateLinkService 'br:bicep/modules/network.private-link-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nplswaf' + params: { + // Required parameters + name: 'nplswaf001' + // Non-required parameters + autoApproval: { + subscriptions: [ + '*' + ] + } + enableDefaultTelemetry: '' + enableProxyProtocol: true + fqdns: [ + 'nplswaf.plsfqdn01.azure.privatelinkservice' + 'nplswaf.plsfqdn02.azure.privatelinkservice' + ] + ipConfigurations: [ + { + name: 'nplswaf01' + properties: { + primary: true + privateIPAllocationMethod: 'Dynamic' + subnet: { + id: '' + } + } + } + ] + loadBalancerFrontendIpConfigurations: [ + { + id: '' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + visibility: { + subscriptions: [ + '' + ] + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nplswaf001" + }, + // Non-required parameters + "autoApproval": { + "value": { + "subscriptions": [ + "*" + ] + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableProxyProtocol": { + "value": true + }, + "fqdns": { + "value": [ + "nplswaf.plsfqdn01.azure.privatelinkservice", + "nplswaf.plsfqdn02.azure.privatelinkservice" + ] + }, + "ipConfigurations": { + "value": [ + { + "name": "nplswaf01", + "properties": { + "primary": true, + "privateIPAllocationMethod": "Dynamic", + "subnet": { + "id": "" + } + } + } + ] + }, + "loadBalancerFrontendIpConfigurations": { + "value": [ + { + "id": "" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "visibility": { + "value": { + "subscriptions": [ + "" + ] + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/public-ip-address/README.md b/modules/network/public-ip-address/README.md index a1e26a8374..cfe71b8195 100644 --- a/modules/network/public-ip-address/README.md +++ b/modules/network/public-ip-address/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -216,6 +217,142 @@ module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module publicIpAddress 'br:bicep/modules/network.public-ip-address:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npiawaf' + params: { + // Required parameters + name: 'npiawaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + publicIPAllocationMethod: 'Static' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + zones: [ + '1' + '2' + '3' + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npiawaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "publicIPAllocationMethod": { + "value": "Static" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "zones": { + "value": [ + "1", + "2", + "3" + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/public-ip-prefix/README.md b/modules/network/public-ip-prefix/README.md index efd58740b9..315a9026fd 100644 --- a/modules/network/public-ip-prefix/README.md +++ b/modules/network/public-ip-prefix/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -171,6 +172,96 @@ module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module publicIpPrefix 'br:bicep/modules/network.public-ip-prefix:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-npipwaf' + params: { + // Required parameters + name: 'npipwaf001' + prefixLength: 28 + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "npipwaf001" + }, + "prefixLength": { + "value": 28 + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/route-table/README.md b/modules/network/route-table/README.md index 3187ab66e4..f5c8ab94de 100644 --- a/modules/network/route-table/README.md +++ b/modules/network/route-table/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -185,6 +186,114 @@ module routeTable 'br:bicep/modules/network.route-table:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module routeTable 'br:bicep/modules/network.route-table:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nrtwaf' + params: { + // Required parameters + name: 'nrtwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + routes: [ + { + name: 'default' + properties: { + addressPrefix: '0.0.0.0/0' + nextHopIpAddress: '172.16.0.20' + nextHopType: 'VirtualAppliance' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nrtwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "routes": { + "value": [ + { + "name": "default", + "properties": { + "addressPrefix": "0.0.0.0/0", + "nextHopIpAddress": "172.16.0.20", + "nextHopType": "VirtualAppliance" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/service-endpoint-policy/README.md b/modules/network/service-endpoint-policy/README.md index c97f6b3a41..e8797a413c 100644 --- a/modules/network/service-endpoint-policy/README.md +++ b/modules/network/service-endpoint-policy/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -191,6 +192,120 @@ module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module serviceEndpointPolicy 'br:bicep/modules/network.service-endpoint-policy:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nsnpwaf' + params: { + // Required parameters + name: 'nsnpwaf-001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + serviceEndpointPolicyDefinitions: [ + { + name: 'Storage.ServiceEndpoint' + properties: { + description: 'Allow Microsoft.Storage' + service: 'Microsoft.Storage' + serviceResources: [ + '' + ] + } + type: 'Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nsnpwaf-001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "serviceEndpointPolicyDefinitions": { + "value": [ + { + "name": "Storage.ServiceEndpoint", + "properties": { + "description": "Allow Microsoft.Storage", + "service": "Microsoft.Storage", + "serviceResources": [ + "" + ] + }, + "type": "Microsoft.Network/serviceEndpointPolicies/serviceEndpointPolicyDefinitions" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/trafficmanagerprofile/README.md b/modules/network/trafficmanagerprofile/README.md index 07d77ebdb1..01f22925a2 100644 --- a/modules/network/trafficmanagerprofile/README.md +++ b/modules/network/trafficmanagerprofile/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -203,6 +204,126 @@ module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module trafficmanagerprofile 'br:bicep/modules/network.trafficmanagerprofile:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ntmpwaf' + params: { + // Required parameters + name: '' + relativeName: '' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "" + }, + "relativeName": { + "value": "" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-hub/README.md b/modules/network/virtual-hub/README.md index 794271f0ac..c4c25d0839 100644 --- a/modules/network/virtual-hub/README.md +++ b/modules/network/virtual-hub/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -221,6 +222,140 @@ module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualHub 'br:bicep/modules/network.virtual-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvhwaf' + params: { + // Required parameters + addressPrefix: '10.1.0.0/16' + name: 'nvhwaf' + virtualWanId: '' + // Non-required parameters + enableDefaultTelemetry: '' + hubRouteTables: [ + { + name: 'routeTable1' + } + ] + hubVirtualNetworkConnections: [ + { + name: 'connection1' + remoteVirtualNetworkId: '' + routingConfiguration: { + associatedRouteTable: { + id: '' + } + propagatedRouteTables: { + ids: [ + { + id: '' + } + ] + labels: [ + 'none' + ] + } + } + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefix": { + "value": "10.1.0.0/16" + }, + "name": { + "value": "nvhwaf" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "hubRouteTables": { + "value": [ + { + "name": "routeTable1" + } + ] + }, + "hubVirtualNetworkConnections": { + "value": [ + { + "name": "connection1", + "remoteVirtualNetworkId": "", + "routingConfiguration": { + "associatedRouteTable": { + "id": "" + }, + "propagatedRouteTables": { + "ids": [ + { + "id": "" + } + ], + "labels": [ + "none" + ] + } + } + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-network/README.md b/modules/network/virtual-network/README.md index 07083c6cf7..8f8acb2d0d 100644 --- a/modules/network/virtual-network/README.md +++ b/modules/network/virtual-network/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Vnetpeering](#example-3-vnetpeering) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -427,6 +428,236 @@ module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualNetwork 'br:bicep/modules/network.virtual-network:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvnwaf' + params: { + // Required parameters + addressPrefixes: [ + '' + ] + name: 'nvnwaf001' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + dnsServers: [ + '10.0.1.4' + '10.0.1.5' + ] + enableDefaultTelemetry: '' + flowTimeoutInMinutes: 20 + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + subnets: [ + { + addressPrefix: '' + name: 'GatewaySubnet' + } + { + addressPrefix: '' + name: 'az-subnet-x-001' + networkSecurityGroupId: '' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + routeTableId: '' + serviceEndpoints: [ + { + service: 'Microsoft.Storage' + } + { + service: 'Microsoft.Sql' + } + ] + } + { + addressPrefix: '' + delegations: [ + { + name: 'netappDel' + properties: { + serviceName: 'Microsoft.Netapp/volumes' + } + } + ] + name: 'az-subnet-x-002' + } + { + addressPrefix: '' + name: 'az-subnet-x-003' + privateEndpointNetworkPolicies: 'Disabled' + privateLinkServiceNetworkPolicies: 'Enabled' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "addressPrefixes": { + "value": [ + "" + ] + }, + "name": { + "value": "nvnwaf001" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "dnsServers": { + "value": [ + "10.0.1.4", + "10.0.1.5" + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "flowTimeoutInMinutes": { + "value": 20 + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "subnets": { + "value": [ + { + "addressPrefix": "", + "name": "GatewaySubnet" + }, + { + "addressPrefix": "", + "name": "az-subnet-x-001", + "networkSecurityGroupId": "", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "routeTableId": "", + "serviceEndpoints": [ + { + "service": "Microsoft.Storage" + }, + { + "service": "Microsoft.Sql" + } + ] + }, + { + "addressPrefix": "", + "delegations": [ + { + "name": "netappDel", + "properties": { + "serviceName": "Microsoft.Netapp/volumes" + } + } + ], + "name": "az-subnet-x-002" + }, + { + "addressPrefix": "", + "name": "az-subnet-x-003", + "privateEndpointNetworkPolicies": "Disabled", + "privateLinkServiceNetworkPolicies": "Enabled" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/virtual-wan/README.md b/modules/network/virtual-wan/README.md index 2837b5d97c..63d33bf1aa 100644 --- a/modules/network/virtual-wan/README.md +++ b/modules/network/virtual-wan/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -179,6 +180,108 @@ module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module virtualWan 'br:bicep/modules/network.virtual-wan:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvwwaf' + params: { + // Required parameters + name: 'nvwwaf001' + // Non-required parameters + allowBranchToBranchTraffic: true + allowVnetToVnetTraffic: true + disableVpnEncryption: true + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + type: 'Basic' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvwwaf001" + }, + // Non-required parameters + "allowBranchToBranchTraffic": { + "value": true + }, + "allowVnetToVnetTraffic": { + "value": true + }, + "disableVpnEncryption": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "type": { + "value": "Basic" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/vpn-gateway/README.md b/modules/network/vpn-gateway/README.md index e8936ad31c..ae23f37365 100644 --- a/modules/network/vpn-gateway/README.md +++ b/modules/network/vpn-gateway/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -233,6 +234,156 @@ module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vpnGateway 'br:bicep/modules/network.vpn-gateway:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvgwaf' + params: { + // Required parameters + name: 'nvgwaf001' + virtualHubResourceId: '' + // Non-required parameters + bgpSettings: { + asn: 65515 + peerWeight: 0 + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + natRules: [ + { + externalMappings: [ + { + addressSpace: '192.168.21.0/24' + } + ] + internalMappings: [ + { + addressSpace: '10.4.0.0/24' + } + ] + mode: 'EgressSnat' + name: 'natRule1' + type: 'Static' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + vpnConnections: [ + { + connectionBandwidth: 100 + enableBgp: false + enableInternetSecurity: true + enableRateLimiting: false + name: '' + remoteVpnSiteResourceId: '' + routingWeight: 0 + useLocalAzureIpAddress: false + usePolicyBasedTrafficSelectors: false + vpnConnectionProtocolType: 'IKEv2' + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvgwaf001" + }, + "virtualHubResourceId": { + "value": "" + }, + // Non-required parameters + "bgpSettings": { + "value": { + "asn": 65515, + "peerWeight": 0 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "natRules": { + "value": [ + { + "externalMappings": [ + { + "addressSpace": "192.168.21.0/24" + } + ], + "internalMappings": [ + { + "addressSpace": "10.4.0.0/24" + } + ], + "mode": "EgressSnat", + "name": "natRule1", + "type": "Static" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "vpnConnections": { + "value": [ + { + "connectionBandwidth": 100, + "enableBgp": false, + "enableInternetSecurity": true, + "enableRateLimiting": false, + "name": "", + "remoteVpnSiteResourceId": "", + "routingWeight": 0, + "useLocalAzureIpAddress": false, + "usePolicyBasedTrafficSelectors": false, + "vpnConnectionProtocolType": "IKEv2" + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/network/vpn-site/README.md b/modules/network/vpn-site/README.md index 949d02fd41..0db53524cd 100644 --- a/modules/network/vpn-site/README.md +++ b/modules/network/vpn-site/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -270,6 +271,182 @@ module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vpnSite 'br:bicep/modules/network.vpn-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-nvswaf' + params: { + // Required parameters + name: 'nvswaf' + virtualWanId: '' + // Non-required parameters + deviceProperties: { + linkSpeedInMbps: 0 + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + o365Policy: { + breakOutCategories: { + allow: true + default: true + optimize: true + } + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + 'hidden-title': 'This is visible in the resource name' + tagA: 'valueA' + tagB: 'valueB' + } + vpnSiteLinks: [ + { + name: 'vSite-nvswaf' + properties: { + bgpProperties: { + asn: 65010 + bgpPeeringAddress: '1.1.1.1' + } + ipAddress: '1.2.3.4' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + { + name: 'Link1' + properties: { + bgpProperties: { + asn: 65020 + bgpPeeringAddress: '192.168.1.0' + } + ipAddress: '2.2.2.2' + linkProperties: { + linkProviderName: 'contoso' + linkSpeedInMbps: 5 + } + } + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "nvswaf" + }, + "virtualWanId": { + "value": "" + }, + // Non-required parameters + "deviceProperties": { + "value": { + "linkSpeedInMbps": 0 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "o365Policy": { + "value": { + "breakOutCategories": { + "allow": true, + "default": true, + "optimize": true + } + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "hidden-title": "This is visible in the resource name", + "tagA": "valueA", + "tagB": "valueB" + } + }, + "vpnSiteLinks": { + "value": [ + { + "name": "vSite-nvswaf", + "properties": { + "bgpProperties": { + "asn": 65010, + "bgpPeeringAddress": "1.1.1.1" + }, + "ipAddress": "1.2.3.4", + "linkProperties": { + "linkProviderName": "contoso", + "linkSpeedInMbps": 5 + } + } + }, + { + "name": "Link1", + "properties": { + "bgpProperties": { + "asn": 65020, + "bgpPeeringAddress": "192.168.1.0" + }, + "ipAddress": "2.2.2.2", + "linkProperties": { + "linkProviderName": "contoso", + "linkSpeedInMbps": 5 + } + } + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/operational-insights/workspace/README.md b/modules/operational-insights/workspace/README.md index cac8424e47..ec2727000b 100644 --- a/modules/operational-insights/workspace/README.md +++ b/modules/operational-insights/workspace/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Adv](#example-1-adv) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Adv_ @@ -1048,6 +1049,414 @@ module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/operational-insights.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-oiwwaf' + params: { + // Required parameters + name: 'oiwwaf001' + // Non-required parameters + dailyQuotaGb: 10 + dataSources: [ + { + eventLogName: 'Application' + eventTypes: [ + { + eventType: 'Error' + } + { + eventType: 'Warning' + } + { + eventType: 'Information' + } + ] + kind: 'WindowsEvent' + name: 'applicationEvent' + } + { + counterName: '% Processor Time' + instanceName: '*' + intervalSeconds: 60 + kind: 'WindowsPerformanceCounter' + name: 'windowsPerfCounter1' + objectName: 'Processor' + } + { + kind: 'IISLogs' + name: 'sampleIISLog1' + state: 'OnPremiseEnabled' + } + { + kind: 'LinuxSyslog' + name: 'sampleSyslog1' + syslogName: 'kern' + syslogSeverities: [ + { + severity: 'emerg' + } + { + severity: 'alert' + } + { + severity: 'crit' + } + { + severity: 'err' + } + { + severity: 'warning' + } + ] + } + { + kind: 'LinuxSyslogCollection' + name: 'sampleSyslogCollection1' + state: 'Enabled' + } + { + instanceName: '*' + intervalSeconds: 10 + kind: 'LinuxPerformanceObject' + name: 'sampleLinuxPerf1' + objectName: 'Logical Disk' + syslogSeverities: [ + { + counterName: '% Used Inodes' + } + { + counterName: 'Free Megabytes' + } + { + counterName: '% Used Space' + } + { + counterName: 'Disk Transfers/sec' + } + { + counterName: 'Disk Reads/sec' + } + { + counterName: 'Disk Writes/sec' + } + ] + } + { + kind: 'LinuxPerformanceCollection' + name: 'sampleLinuxPerfCollection1' + state: 'Enabled' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + gallerySolutions: [ + { + name: 'AzureAutomation' + product: 'OMSGallery' + publisher: 'Microsoft' + } + ] + linkedServices: [ + { + name: 'Automation' + resourceId: '' + } + ] + linkedStorageAccounts: [ + { + name: 'Query' + resourceId: '' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + publicNetworkAccessForIngestion: 'Disabled' + publicNetworkAccessForQuery: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + savedSearches: [ + { + category: 'VDC Saved Searches' + displayName: 'VMSS Instance Count2' + name: 'VMSSQueries' + query: 'Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer' + } + ] + storageInsightsConfigs: [ + { + storageAccountResourceId: '' + tables: [ + 'LinuxsyslogVer2v0' + 'WADETWEventTable' + 'WADServiceFabric*EventTable' + 'WADWindowsEventLogsTable' + ] + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + useResourcePermissions: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "oiwwaf001" + }, + // Non-required parameters + "dailyQuotaGb": { + "value": 10 + }, + "dataSources": { + "value": [ + { + "eventLogName": "Application", + "eventTypes": [ + { + "eventType": "Error" + }, + { + "eventType": "Warning" + }, + { + "eventType": "Information" + } + ], + "kind": "WindowsEvent", + "name": "applicationEvent" + }, + { + "counterName": "% Processor Time", + "instanceName": "*", + "intervalSeconds": 60, + "kind": "WindowsPerformanceCounter", + "name": "windowsPerfCounter1", + "objectName": "Processor" + }, + { + "kind": "IISLogs", + "name": "sampleIISLog1", + "state": "OnPremiseEnabled" + }, + { + "kind": "LinuxSyslog", + "name": "sampleSyslog1", + "syslogName": "kern", + "syslogSeverities": [ + { + "severity": "emerg" + }, + { + "severity": "alert" + }, + { + "severity": "crit" + }, + { + "severity": "err" + }, + { + "severity": "warning" + } + ] + }, + { + "kind": "LinuxSyslogCollection", + "name": "sampleSyslogCollection1", + "state": "Enabled" + }, + { + "instanceName": "*", + "intervalSeconds": 10, + "kind": "LinuxPerformanceObject", + "name": "sampleLinuxPerf1", + "objectName": "Logical Disk", + "syslogSeverities": [ + { + "counterName": "% Used Inodes" + }, + { + "counterName": "Free Megabytes" + }, + { + "counterName": "% Used Space" + }, + { + "counterName": "Disk Transfers/sec" + }, + { + "counterName": "Disk Reads/sec" + }, + { + "counterName": "Disk Writes/sec" + } + ] + }, + { + "kind": "LinuxPerformanceCollection", + "name": "sampleLinuxPerfCollection1", + "state": "Enabled" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "gallerySolutions": { + "value": [ + { + "name": "AzureAutomation", + "product": "OMSGallery", + "publisher": "Microsoft" + } + ] + }, + "linkedServices": { + "value": [ + { + "name": "Automation", + "resourceId": "" + } + ] + }, + "linkedStorageAccounts": { + "value": [ + { + "name": "Query", + "resourceId": "" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "publicNetworkAccessForIngestion": { + "value": "Disabled" + }, + "publicNetworkAccessForQuery": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "savedSearches": { + "value": [ + { + "category": "VDC Saved Searches", + "displayName": "VMSS Instance Count2", + "name": "VMSSQueries", + "query": "Event | where Source == ServiceFabricNodeBootstrapAgent | summarize AggregatedValue = count() by Computer" + } + ] + }, + "storageInsightsConfigs": { + "value": [ + { + "storageAccountResourceId": "", + "tables": [ + "LinuxsyslogVer2v0", + "WADETWEventTable", + "WADServiceFabric*EventTable", + "WADWindowsEventLogsTable" + ] + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "useResourcePermissions": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/power-bi-dedicated/capacity/README.md b/modules/power-bi-dedicated/capacity/README.md index 4e238f87bd..93a0348544 100644 --- a/modules/power-bi-dedicated/capacity/README.md +++ b/modules/power-bi-dedicated/capacity/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -187,6 +188,104 @@ module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module capacity 'br:bicep/modules/power-bi-dedicated.capacity:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-pbdcapwaf' + params: { + // Required parameters + members: [ + '' + ] + name: 'pbdcapwaf001' + skuCapacity: 1 + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "members": { + "value": [ + "" + ] + }, + "name": { + "value": "pbdcapwaf001" + }, + "skuCapacity": { + "value": 1 + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/purview/account/README.md b/modules/purview/account/README.md index 0110965dca..bf1e13c412 100644 --- a/modules/purview/account/README.md +++ b/modules/purview/account/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -374,6 +375,296 @@ module account 'br:bicep/modules/purview.account:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module account 'br:bicep/modules/purview.account:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-pvawaf' + params: { + // Required parameters + name: 'pvawaf001' + // Non-required parameters + accountPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'account' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + eventHubPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + userAssignedResourcesIds: [ + '' + ] + } + managedResourceGroupName: 'pvawaf001-managed-rg' + portalPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'portal' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + storageBlobPrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'blob' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + storageQueuePrivateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'queue' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "pvawaf001" + }, + // Non-required parameters + "accountPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "account", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "eventHubPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managedResourceGroupName": { + "value": "pvawaf001-managed-rg" + }, + "portalPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "portal", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "storageBlobPrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "blob", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "storageQueuePrivateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "queue", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/recovery-services/vault/README.md b/modules/recovery-services/vault/README.md index 0f801f9e45..6543c19403 100644 --- a/modules/recovery-services/vault/README.md +++ b/modules/recovery-services/vault/README.md @@ -42,6 +42,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Dr](#example-2-dr) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -948,6 +949,692 @@ module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module vault 'br:bicep/modules/recovery-services.vault:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rsvwaf' + params: { + // Required parameters + name: 'rsvwaf001' + // Non-required parameters + backupConfig: { + enhancedSecurityState: 'Disabled' + softDeleteFeatureState: 'Disabled' + } + backupPolicies: [ + { + name: 'VMpolicy' + properties: { + backupManagementType: 'AzureIaasVM' + instantRPDetails: {} + instantRpRetentionRangeInDays: 2 + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 180 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 12 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T07:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T07:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + } + } + { + name: 'sqlpolicy' + properties: { + backupManagementType: 'AzureWorkload' + protectedItemsCount: 0 + settings: { + isCompression: true + issqlcompression: true + timeZone: 'UTC' + } + subProtectionPolicy: [ + { + policyType: 'Full' + retentionPolicy: { + monthlySchedule: { + retentionDuration: { + count: 60 + durationType: 'Months' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + weeklySchedule: { + daysOfTheWeek: [ + 'Sunday' + ] + retentionDuration: { + count: 104 + durationType: 'Weeks' + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + yearlySchedule: { + monthsOfYear: [ + 'January' + ] + retentionDuration: { + count: 10 + durationType: 'Years' + } + retentionScheduleFormatType: 'Weekly' + retentionScheduleWeekly: { + daysOfTheWeek: [ + 'Sunday' + ] + weeksOfTheMonth: [ + 'First' + ] + } + retentionTimes: [ + '2019-11-07T22:00:00Z' + ] + } + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Sunday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2019-11-07T22:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Differential' + retentionPolicy: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunDays: [ + 'Monday' + ] + scheduleRunFrequency: 'Weekly' + scheduleRunTimes: [ + '2017-03-07T02:00:00Z' + ] + scheduleWeeklyFrequency: 0 + } + } + { + policyType: 'Log' + retentionPolicy: { + retentionDuration: { + count: 15 + durationType: 'Days' + } + retentionPolicyType: 'SimpleRetentionPolicy' + } + schedulePolicy: { + scheduleFrequencyInMins: 120 + schedulePolicyType: 'LogSchedulePolicy' + } + } + ] + workLoadType: 'SQLDataBase' + } + } + { + name: 'filesharepolicy' + properties: { + backupManagementType: 'AzureStorage' + protectedItemsCount: 0 + retentionPolicy: { + dailySchedule: { + retentionDuration: { + count: 30 + durationType: 'Days' + } + retentionTimes: [ + '2019-11-07T04:30:00Z' + ] + } + retentionPolicyType: 'LongTermRetentionPolicy' + } + schedulePolicy: { + schedulePolicyType: 'SimpleSchedulePolicy' + scheduleRunFrequency: 'Daily' + scheduleRunTimes: [ + '2019-11-07T04:30:00Z' + ] + scheduleWeeklyFrequency: 0 + } + timeZone: 'UTC' + workloadType: 'AzureFileShare' + } + } + ] + backupStorageConfig: { + crossRegionRestoreFlag: true + storageModelType: 'GeoRedundant' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + monitoringSettings: { + azureMonitorAlertSettings: { + alertsForAllJobFailures: 'Enabled' + } + classicAlertSettings: { + alertsForCriticalOperations: 'Enabled' + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + replicationAlertSettings: { + customEmailAddresses: [ + 'test.user@testcompany.com' + ] + locale: 'en-US' + sendToOwners: 'Send' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securitySettings: { + immutabilitySettings: { + state: 'Unlocked' + } + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rsvwaf001" + }, + // Non-required parameters + "backupConfig": { + "value": { + "enhancedSecurityState": "Disabled", + "softDeleteFeatureState": "Disabled" + } + }, + "backupPolicies": { + "value": [ + { + "name": "VMpolicy", + "properties": { + "backupManagementType": "AzureIaasVM", + "instantRPDetails": {}, + "instantRpRetentionRangeInDays": 2, + "protectedItemsCount": 0, + "retentionPolicy": { + "dailySchedule": { + "retentionDuration": { + "count": 180, + "durationType": "Days" + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "monthlySchedule": { + "retentionDuration": { + "count": 60, + "durationType": "Months" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionDuration": { + "count": 12, + "durationType": "Weeks" + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + }, + "yearlySchedule": { + "monthsOfYear": [ + "January" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T07:00:00Z" + ] + } + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T07:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "timeZone": "UTC" + } + }, + { + "name": "sqlpolicy", + "properties": { + "backupManagementType": "AzureWorkload", + "protectedItemsCount": 0, + "settings": { + "isCompression": true, + "issqlcompression": true, + "timeZone": "UTC" + }, + "subProtectionPolicy": [ + { + "policyType": "Full", + "retentionPolicy": { + "monthlySchedule": { + "retentionDuration": { + "count": 60, + "durationType": "Months" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy", + "weeklySchedule": { + "daysOfTheWeek": [ + "Sunday" + ], + "retentionDuration": { + "count": 104, + "durationType": "Weeks" + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + }, + "yearlySchedule": { + "monthsOfYear": [ + "January" + ], + "retentionDuration": { + "count": 10, + "durationType": "Years" + }, + "retentionScheduleFormatType": "Weekly", + "retentionScheduleWeekly": { + "daysOfTheWeek": [ + "Sunday" + ], + "weeksOfTheMonth": [ + "First" + ] + }, + "retentionTimes": [ + "2019-11-07T22:00:00Z" + ] + } + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunDays": [ + "Sunday" + ], + "scheduleRunFrequency": "Weekly", + "scheduleRunTimes": [ + "2019-11-07T22:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + } + }, + { + "policyType": "Differential", + "retentionPolicy": { + "retentionDuration": { + "count": 30, + "durationType": "Days" + }, + "retentionPolicyType": "SimpleRetentionPolicy" + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunDays": [ + "Monday" + ], + "scheduleRunFrequency": "Weekly", + "scheduleRunTimes": [ + "2017-03-07T02:00:00Z" + ], + "scheduleWeeklyFrequency": 0 + } + }, + { + "policyType": "Log", + "retentionPolicy": { + "retentionDuration": { + "count": 15, + "durationType": "Days" + }, + "retentionPolicyType": "SimpleRetentionPolicy" + }, + "schedulePolicy": { + "scheduleFrequencyInMins": 120, + "schedulePolicyType": "LogSchedulePolicy" + } + } + ], + "workLoadType": "SQLDataBase" + } + }, + { + "name": "filesharepolicy", + "properties": { + "backupManagementType": "AzureStorage", + "protectedItemsCount": 0, + "retentionPolicy": { + "dailySchedule": { + "retentionDuration": { + "count": 30, + "durationType": "Days" + }, + "retentionTimes": [ + "2019-11-07T04:30:00Z" + ] + }, + "retentionPolicyType": "LongTermRetentionPolicy" + }, + "schedulePolicy": { + "schedulePolicyType": "SimpleSchedulePolicy", + "scheduleRunFrequency": "Daily", + "scheduleRunTimes": [ + "2019-11-07T04:30:00Z" + ], + "scheduleWeeklyFrequency": 0 + }, + "timeZone": "UTC", + "workloadType": "AzureFileShare" + } + } + ] + }, + "backupStorageConfig": { + "value": { + "crossRegionRestoreFlag": true, + "storageModelType": "GeoRedundant" + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "monitoringSettings": { + "value": { + "azureMonitorAlertSettings": { + "alertsForAllJobFailures": "Enabled" + }, + "classicAlertSettings": { + "alertsForCriticalOperations": "Enabled" + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "replicationAlertSettings": { + "value": { + "customEmailAddresses": [ + "test.user@testcompany.com" + ], + "locale": "en-US", + "sendToOwners": "Send" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securitySettings": { + "value": { + "immutabilitySettings": { + "state": "Unlocked" + } + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/relay/namespace/README.md b/modules/relay/namespace/README.md index f7f4a331ec..0e0ec1776b 100644 --- a/modules/relay/namespace/README.md +++ b/modules/relay/namespace/README.md @@ -38,6 +38,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -464,6 +465,294 @@ module namespace 'br:bicep/modules/relay.namespace:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/relay.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rnwaf' + params: { + // Required parameters + name: 'rnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + hybridConnections: [ + { + name: 'rnwafhc001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userMetadata: '[{\'key\':\'endpoint\'\'value\':\'db-server.constoso.com:1433\'}]' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + subnet: { + id: '' + ignoreMissingVnetServiceEndpoint: true + } + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuName: 'Standard' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + wcfRelays: [ + { + name: 'rnwafwcf001' + relayType: 'NetTcp' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hybridConnections": { + "value": [ + { + "name": "rnwafhc001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "userMetadata": "[{\"key\":\"endpoint\",\"value\":\"db-server.constoso.com:1433\"}]" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "subnet": { + "id": "", + "ignoreMissingVnetServiceEndpoint": true + } + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuName": { + "value": "Standard" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "wcfRelays": { + "value": [ + { + "name": "rnwafwcf001", + "relayType": "NetTcp", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/resource-graph/query/README.md b/modules/resource-graph/query/README.md index b0a81c470e..b9d4187d55 100644 --- a/modules/resource-graph/query/README.md +++ b/modules/resource-graph/query/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -175,6 +176,100 @@ module query 'br:bicep/modules/resource-graph.query:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module query 'br:bicep/modules/resource-graph.query:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rgqwaf' + params: { + // Required parameters + name: 'rgqwaf001' + query: 'resources | take 10' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + queryDescription: 'An example query to list first 10 resources in the subscription.' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rgqwaf001" + }, + "query": { + "value": "resources | take 10" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "queryDescription": { + "value": "An example query to list first 10 resources in the subscription." + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/resources/resource-group/README.md b/modules/resources/resource-group/README.md index e80ab43762..6e0fab2365 100644 --- a/modules/resources/resource-group/README.md +++ b/modules/resources/resource-group/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -163,6 +164,92 @@ module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module resourceGroup 'br:bicep/modules/resources.resource-group:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-rrgwaf' + params: { + // Required parameters + name: 'rrgwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "rrgwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/search/search-service/README.md b/modules/search/search-service/README.md index 3a6fe2f628..94d3e8eeff 100644 --- a/modules/search/search-service/README.md +++ b/modules/search/search-service/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -395,6 +396,198 @@ module searchService 'br:bicep/modules/search.search-service:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module searchService 'br:bicep/modules/search.search-service:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssswaf' + params: { + // Required parameters + name: 'ssswaf001' + // Non-required parameters + authOptions: { + aadOrApiKey: { + aadAuthFailureMode: 'http401WithBearerChallenge' + } + } + cmkEnforcement: 'Enabled' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: false + enableDefaultTelemetry: '' + hostingMode: 'highDensity' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + networkRuleSet: { + ipRules: [ + { + value: '40.74.28.0/23' + } + { + value: '87.147.204.13' + } + ] + } + partitionCount: 2 + replicaCount: 3 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Search Service Contributor' + } + ] + sku: 'standard3' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssswaf001" + }, + // Non-required parameters + "authOptions": { + "value": { + "aadOrApiKey": { + "aadAuthFailureMode": "http401WithBearerChallenge" + } + } + }, + "cmkEnforcement": { + "value": "Enabled" + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": false + }, + "enableDefaultTelemetry": { + "value": "" + }, + "hostingMode": { + "value": "highDensity" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "networkRuleSet": { + "value": { + "ipRules": [ + { + "value": "40.74.28.0/23" + }, + { + "value": "87.147.204.13" + } + ] + } + }, + "partitionCount": { + "value": 2 + }, + "replicaCount": { + "value": 3 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Search Service Contributor" + } + ] + }, + "sku": { + "value": "standard3" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/security/azure-security-center/README.md b/modules/security/azure-security-center/README.md index ea0247aee2..f3a67e036f 100644 --- a/modules/security/azure-security-center/README.md +++ b/modules/security/azure-security-center/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/security.azure-security-center:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -93,6 +94,68 @@ module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module azureSecurityCenter 'br:bicep/modules/security.azure-security-center:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sascwaf' + params: { + // Required parameters + workspaceId: '' + // Non-required parameters + enableDefaultTelemetry: '' + securityContactProperties: { + alertNotifications: 'Off' + alertsToAdmins: 'Off' + email: 'foo@contoso.com' + phone: '+12345678' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "workspaceId": { + "value": "" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "securityContactProperties": { + "value": { + "alertNotifications": "Off", + "alertsToAdmins": "Off", + "email": "foo@contoso.com", + "phone": "+12345678" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/service-bus/namespace/README.md b/modules/service-bus/namespace/README.md index 60aef288fd..db6e405643 100644 --- a/modules/service-bus/namespace/README.md +++ b/modules/service-bus/namespace/README.md @@ -41,6 +41,7 @@ The following section provides usage examples for the module, which were used to - [Encr](#example-2-encr) - [Using large parameter set](#example-3-using-large-parameter-set) - [Pe](#example-4-pe) +- [WAF-aligned](#example-5-waf-aligned) ### Example 1: _Using only defaults_ @@ -754,6 +755,396 @@ module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = {

+### Example 5: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module namespace 'br:bicep/modules/service-bus.namespace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sbnwaf' + params: { + // Required parameters + name: 'sbnwaf001' + // Non-required parameters + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + disableLocalAuth: true + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + minimumTlsVersion: '1.2' + networkRuleSets: { + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + ipMask: '10.0.1.0/32' + } + { + action: 'Allow' + ipMask: '10.0.2.0/32' + } + ] + trustedServiceAccessEnabled: true + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + subnetResourceId: '' + } + ] + } + premiumMessagingPartitions: 1 + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'namespace' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + publicNetworkAccess: 'Enabled' + queues: [ + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + autoDeleteOnIdle: 'PT5M' + maxMessageSizeInKilobytes: 2048 + name: 'sbnwafq001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + skuCapacity: 2 + skuName: 'Premium' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + topics: [ + { + authorizationRules: [ + { + name: 'RootManageSharedAccessKey' + rights: [ + 'Listen' + 'Manage' + 'Send' + ] + } + { + name: 'AnotherKey' + rights: [ + 'Listen' + 'Send' + ] + } + ] + name: 'sbnwaft001' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + ] + zoneRedundant: true + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "sbnwaf001" + }, + // Non-required parameters + "authorizationRules": { + "value": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "minimumTlsVersion": { + "value": "1.2" + }, + "networkRuleSets": { + "value": { + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "ipMask": "10.0.1.0/32" + }, + { + "action": "Allow", + "ipMask": "10.0.2.0/32" + } + ], + "trustedServiceAccessEnabled": true, + "virtualNetworkRules": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "subnetResourceId": "" + } + ] + } + }, + "premiumMessagingPartitions": { + "value": 1 + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "namespace", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "publicNetworkAccess": { + "value": "Enabled" + }, + "queues": { + "value": [ + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ], + "autoDeleteOnIdle": "PT5M", + "maxMessageSizeInKilobytes": 2048, + "name": "sbnwafq001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "skuCapacity": { + "value": 2 + }, + "skuName": { + "value": "Premium" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "topics": { + "value": [ + { + "authorizationRules": [ + { + "name": "RootManageSharedAccessKey", + "rights": [ + "Listen", + "Manage", + "Send" + ] + }, + { + "name": "AnotherKey", + "rights": [ + "Listen", + "Send" + ] + } + ], + "name": "sbnwaft001", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + } + ] + }, + "zoneRedundant": { + "value": true + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/service-fabric/cluster/README.md b/modules/service-fabric/cluster/README.md index ff6dbe1f65..e24432c80e 100644 --- a/modules/service-fabric/cluster/README.md +++ b/modules/service-fabric/cluster/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Cert](#example-1-cert) - [Using only defaults](#example-2-using-only-defaults) - [Using large parameter set](#example-3-using-large-parameter-set) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Cert_ @@ -649,6 +650,420 @@ module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module cluster 'br:bicep/modules/service-fabric.cluster:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sfcwaf' + params: { + // Required parameters + managementEndpoint: 'https://sfcwaf001.westeurope.cloudapp.azure.com:19080' + name: 'sfcwaf001' + nodeTypes: [ + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Silver' + ephemeralPorts: { + endPort: 65534 + startPort: 49152 + } + httpGatewayEndpointPort: 19080 + isPrimary: true + isStateless: false + multipleAvailabilityZones: false + name: 'Node01' + placementProperties: {} + reverseProxyEndpointPort: '' + vmInstanceCount: 5 + } + { + applicationPorts: { + endPort: 30000 + startPort: 20000 + } + clientConnectionEndpointPort: 19000 + durabilityLevel: 'Bronze' + ephemeralPorts: { + endPort: 64000 + httpGatewayEndpointPort: 19007 + isPrimary: true + name: 'Node02' + startPort: 49000 + vmInstanceCount: 5 + } + } + ] + reliabilityLevel: 'Silver' + // Non-required parameters + addOnFeatures: [ + 'BackupRestoreService' + 'DnsService' + 'RepairManager' + 'ResourceMonitorService' + ] + applicationTypes: [ + { + name: 'WordCount' + } + ] + azureActiveDirectory: { + clientApplication: '' + clusterApplication: 'cf33fea8-b30f-424f-ab73-c48d99e0b222' + tenantId: '' + } + certificateCommonNames: { + commonNames: [ + { + certificateCommonName: 'certcommon' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + } + ] + x509StoreName: '' + } + clientCertificateCommonNames: [ + { + certificateCommonName: 'clientcommoncert1' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateCommonName: 'clientcommoncert2' + certificateIssuerThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + clientCertificateThumbprints: [ + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC130' + isAdmin: false + } + { + certificateThumbprint: '0AC113D5E1D94C401DDEB0EE2B1B96CC131' + isAdmin: false + } + ] + diagnosticsStorageAccountConfig: { + blobEndpoint: '' + protectedAccountKeyName: 'StorageAccountKey1' + queueEndpoint: '' + storageAccountName: '' + tableEndpoint: '' + } + enableDefaultTelemetry: '' + fabricSettings: [ + { + name: 'Security' + parameters: [ + { + name: 'ClusterProtectionLevel' + value: 'EncryptAndSign' + } + ] + } + { + name: 'UpgradeService' + parameters: [ + { + name: 'AppPollIntervalInSeconds' + value: '60' + } + ] + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + maxUnusedVersionsToKeep: 2 + notifications: [ + { + isEnabled: true + notificationCategory: 'WaveProgress' + notificationLevel: 'Critical' + notificationTargets: [ + { + notificationChannel: 'EmailUser' + receivers: [ + 'SomeReceiver' + ] + } + ] + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + clusterName: 'sfcwaf001' + 'hidden-title': 'This is visible in the resource name' + resourceType: 'Service Fabric' + } + upgradeDescription: { + deltaHealthPolicy: { + maxPercentDeltaUnhealthyApplications: 0 + maxPercentDeltaUnhealthyNodes: 0 + maxPercentUpgradeDomainDeltaUnhealthyNodes: 0 + } + forceRestart: false + healthCheckRetryTimeout: '00:45:00' + healthCheckStableDuration: '00:01:00' + healthCheckWaitDuration: '00:00:30' + healthPolicy: { + maxPercentUnhealthyApplications: 0 + maxPercentUnhealthyNodes: 0 + } + upgradeDomainTimeout: '02:00:00' + upgradeReplicaSetCheckTimeout: '1.00:00:00' + upgradeTimeout: '02:00:00' + } + vmImage: 'Linux' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "managementEndpoint": { + "value": "https://sfcwaf001.westeurope.cloudapp.azure.com:19080" + }, + "name": { + "value": "sfcwaf001" + }, + "nodeTypes": { + "value": [ + { + "applicationPorts": { + "endPort": 30000, + "startPort": 20000 + }, + "clientConnectionEndpointPort": 19000, + "durabilityLevel": "Silver", + "ephemeralPorts": { + "endPort": 65534, + "startPort": 49152 + }, + "httpGatewayEndpointPort": 19080, + "isPrimary": true, + "isStateless": false, + "multipleAvailabilityZones": false, + "name": "Node01", + "placementProperties": {}, + "reverseProxyEndpointPort": "", + "vmInstanceCount": 5 + }, + { + "applicationPorts": { + "endPort": 30000, + "startPort": 20000 + }, + "clientConnectionEndpointPort": 19000, + "durabilityLevel": "Bronze", + "ephemeralPorts": { + "endPort": 64000, + "httpGatewayEndpointPort": 19007, + "isPrimary": true, + "name": "Node02", + "startPort": 49000, + "vmInstanceCount": 5 + } + } + ] + }, + "reliabilityLevel": { + "value": "Silver" + }, + // Non-required parameters + "addOnFeatures": { + "value": [ + "BackupRestoreService", + "DnsService", + "RepairManager", + "ResourceMonitorService" + ] + }, + "applicationTypes": { + "value": [ + { + "name": "WordCount" + } + ] + }, + "azureActiveDirectory": { + "value": { + "clientApplication": "", + "clusterApplication": "cf33fea8-b30f-424f-ab73-c48d99e0b222", + "tenantId": "" + } + }, + "certificateCommonNames": { + "value": { + "commonNames": [ + { + "certificateCommonName": "certcommon", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130" + } + ], + "x509StoreName": "" + } + }, + "clientCertificateCommonNames": { + "value": [ + { + "certificateCommonName": "clientcommoncert1", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", + "isAdmin": false + }, + { + "certificateCommonName": "clientcommoncert2", + "certificateIssuerThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", + "isAdmin": false + } + ] + }, + "clientCertificateThumbprints": { + "value": [ + { + "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC130", + "isAdmin": false + }, + { + "certificateThumbprint": "0AC113D5E1D94C401DDEB0EE2B1B96CC131", + "isAdmin": false + } + ] + }, + "diagnosticsStorageAccountConfig": { + "value": { + "blobEndpoint": "", + "protectedAccountKeyName": "StorageAccountKey1", + "queueEndpoint": "", + "storageAccountName": "", + "tableEndpoint": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "fabricSettings": { + "value": [ + { + "name": "Security", + "parameters": [ + { + "name": "ClusterProtectionLevel", + "value": "EncryptAndSign" + } + ] + }, + { + "name": "UpgradeService", + "parameters": [ + { + "name": "AppPollIntervalInSeconds", + "value": "60" + } + ] + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "maxUnusedVersionsToKeep": { + "value": 2 + }, + "notifications": { + "value": [ + { + "isEnabled": true, + "notificationCategory": "WaveProgress", + "notificationLevel": "Critical", + "notificationTargets": [ + { + "notificationChannel": "EmailUser", + "receivers": [ + "SomeReceiver" + ] + } + ] + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "clusterName": "sfcwaf001", + "hidden-title": "This is visible in the resource name", + "resourceType": "Service Fabric" + } + }, + "upgradeDescription": { + "value": { + "deltaHealthPolicy": { + "maxPercentDeltaUnhealthyApplications": 0, + "maxPercentDeltaUnhealthyNodes": 0, + "maxPercentUpgradeDomainDeltaUnhealthyNodes": 0 + }, + "forceRestart": false, + "healthCheckRetryTimeout": "00:45:00", + "healthCheckStableDuration": "00:01:00", + "healthCheckWaitDuration": "00:00:30", + "healthPolicy": { + "maxPercentUnhealthyApplications": 0, + "maxPercentUnhealthyNodes": 0 + }, + "upgradeDomainTimeout": "02:00:00", + "upgradeReplicaSetCheckTimeout": "1.00:00:00", + "upgradeTimeout": "02:00:00" + } + }, + "vmImage": { + "value": "Linux" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/signal-r-service/signal-r/README.md b/modules/signal-r-service/signal-r/README.md index 8a20ce6637..0650ea90d4 100644 --- a/modules/signal-r-service/signal-r/README.md +++ b/modules/signal-r-service/signal-r/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -271,6 +272,198 @@ module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module signalR 'br:bicep/modules/signal-r-service.signal-r:1.0.0' = { + name: '${uniqueString(deployment().name)}-test-srssrwaf' + params: { + // Required parameters + name: 'srssrwaf-001' + // Non-required parameters + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + enableDefaultTelemetry: '' + kind: 'SignalR' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-srssrwaf-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard_S1' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srssrwaf-001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "clientCertEnabled": { + "value": false + }, + "disableAadAuth": { + "value": false + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "kind": { + "value": "SignalR" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "networkAcls": { + "value": { + "defaultAction": "Allow", + "privateEndpoints": [ + { + "allow": [], + "deny": [ + "ServerConnection", + "Trace" + ], + "name": "pe-srssrwaf-001" + } + ], + "publicNetwork": { + "allow": [], + "deny": [ + "RESTAPI", + "Trace" + ] + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "resourceLogConfigurationsToEnable": { + "value": [ + "ConnectivityLogs" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard_S1" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/signal-r-service/web-pub-sub/README.md b/modules/signal-r-service/web-pub-sub/README.md index de04a9437c..80d94432be 100644 --- a/modules/signal-r-service/web-pub-sub/README.md +++ b/modules/signal-r-service/web-pub-sub/README.md @@ -31,6 +31,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Pe](#example-3-pe) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -367,6 +368,204 @@ module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module webPubSub 'br:bicep/modules/signal-r-service.web-pub-sub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-srswpswaf' + params: { + // Required parameters + name: 'srswpswaf-001' + // Non-required parameters + capacity: 2 + clientCertEnabled: false + disableAadAuth: false + disableLocalAuth: true + enableDefaultTelemetry: '' + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + } + networkAcls: { + defaultAction: 'Allow' + privateEndpoints: [ + { + allow: [] + deny: [ + 'ServerConnection' + 'Trace' + ] + name: 'pe-srswpswaf-001' + } + ] + publicNetwork: { + allow: [] + deny: [ + 'RESTAPI' + 'Trace' + ] + } + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'webpubsub' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + resourceLogConfigurationsToEnable: [ + 'ConnectivityLogs' + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard_S1' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "srswpswaf-001" + }, + // Non-required parameters + "capacity": { + "value": 2 + }, + "clientCertEnabled": { + "value": false + }, + "disableAadAuth": { + "value": false + }, + "disableLocalAuth": { + "value": true + }, + "enableDefaultTelemetry": { + "value": "" + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true + } + }, + "networkAcls": { + "value": { + "defaultAction": "Allow", + "privateEndpoints": [ + { + "allow": [], + "deny": [ + "ServerConnection", + "Trace" + ], + "name": "pe-srswpswaf-001" + } + ], + "publicNetwork": { + "allow": [], + "deny": [ + "RESTAPI", + "Trace" + ] + } + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "webpubsub", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "resourceLogConfigurationsToEnable": { + "value": [ + "ConnectivityLogs" + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard_S1" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/sql/managed-instance/README.md b/modules/sql/managed-instance/README.md index 14c4696753..c16e126709 100644 --- a/modules/sql/managed-instance/README.md +++ b/modules/sql/managed-instance/README.md @@ -39,6 +39,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) - [Vulnassm](#example-3-vulnassm) +- [WAF-aligned](#example-4-waf-aligned) ### Example 1: _Using only defaults_ @@ -505,6 +506,298 @@ module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = {

+### Example 4: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module managedInstance 'br:bicep/modules/sql.managed-instance:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlmiwaf' + params: { + // Required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + name: 'sqlmiwaf' + subnetId: '' + // Non-required parameters + collation: 'SQL_Latin1_General_CP1_CI_AS' + databases: [ + { + backupLongTermRetentionPolicies: { + name: 'default' + } + backupShortTermRetentionPolicies: { + name: 'default' + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + name: 'sqlmiwaf-db-001' + } + ] + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + dnsZonePartner: '' + enableDefaultTelemetry: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + hardwareFamily: 'Gen5' + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + licenseType: 'LicenseIncluded' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentityId: '' + proxyOverride: 'Proxy' + publicDataEndpointEnabled: false + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPoliciesObj: { + emailAccountAdmins: true + name: 'default' + state: 'Enabled' + } + servicePrincipal: 'SystemAssigned' + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + storageSizeInGB: 32 + timezoneId: 'UTC' + vCores: 4 + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "name": { + "value": "sqlmiwaf" + }, + "subnetId": { + "value": "" + }, + "collation": { + "value": "SQL_Latin1_General_CP1_CI_AS" + }, + "databases": { + "value": [ + { + "backupLongTermRetentionPolicies": { + "name": "default" + }, + "backupShortTermRetentionPolicies": { + "name": "default" + }, + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "name": "sqlmiwaf-db-001" + } + ] + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "dnsZonePartner": { + "value": "" + }, + "enableDefaultTelemetry": { + "value": "" + }, + "encryptionProtectorObj": { + "value": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + } + }, + "hardwareFamily": { + "value": "Gen5" + }, + "keys": { + "value": [ + { + "name": "", + "serverKeyType": "AzureKeyVault", + "uri": "" + } + ] + }, + "licenseType": { + "value": "LicenseIncluded" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "proxyOverride": { + "value": "Proxy" + }, + "publicDataEndpointEnabled": { + "value": false + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPoliciesObj": { + "value": { + "emailAccountAdmins": true, + "name": "default", + "state": "Enabled" + } + }, + "servicePrincipal": { + "value": "SystemAssigned" + }, + "skuName": { + "value": "GP_Gen5" + }, + "skuTier": { + "value": "GeneralPurpose" + }, + "storageSizeInGB": { + "value": 32 + }, + "timezoneId": { + "value": "UTC" + }, + "vCores": { + "value": 4 + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/sql/server/README.md b/modules/sql/server/README.md index 329f0f3f82..95b1c24ad9 100644 --- a/modules/sql/server/README.md +++ b/modules/sql/server/README.md @@ -45,6 +45,7 @@ The following section provides usage examples for the module, which were used to - [Pe](#example-3-pe) - [Secondary](#example-4-secondary) - [Vulnassm](#example-5-vulnassm) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Admin_ @@ -734,6 +735,324 @@ module server 'br:bicep/modules/sql.server:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module server 'br:bicep/modules/sql.server:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-sqlswaf' + params: { + // Required parameters + name: 'sqlswaf' + // Non-required parameters + administratorLogin: 'adminUserName' + administratorLoginPassword: '' + databases: [ + { + backupLongTermRetentionPolicy: { + monthlyRetention: 'P6M' + } + backupShortTermRetentionPolicy: { + retentionDays: 14 + } + capacity: 0 + collation: 'SQL_Latin1_General_CP1_CI_AS' + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + elasticPoolId: '' + encryptionProtectorObj: { + serverKeyName: '' + serverKeyType: 'AzureKeyVault' + } + licenseType: 'LicenseIncluded' + maxSizeBytes: 34359738368 + name: 'sqlswafdb-001' + skuName: 'ElasticPool' + skuTier: 'GeneralPurpose' + } + ] + elasticPools: [ + { + maintenanceConfigurationId: '' + name: 'sqlswaf-ep-001' + skuCapacity: 10 + skuName: 'GP_Gen5' + skuTier: 'GeneralPurpose' + } + ] + enableDefaultTelemetry: '' + firewallRules: [ + { + endIpAddress: '0.0.0.0' + name: 'AllowAllWindowsAzureIps' + startIpAddress: '0.0.0.0' + } + ] + keys: [ + { + name: '' + serverKeyType: 'AzureKeyVault' + uri: '' + } + ] + location: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + primaryUserAssignedIdentityId: '' + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'sqlServer' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + restrictOutboundNetworkAccess: 'Disabled' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + securityAlertPolicies: [ + { + emailAccountAdmins: true + name: 'Default' + state: 'Enabled' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + virtualNetworkRules: [ + { + ignoreMissingVnetServiceEndpoint: true + name: 'newVnetRule1' + virtualNetworkSubnetId: '' + } + ] + vulnerabilityAssessmentsObj: { + emailSubscriptionAdmins: true + name: 'default' + recurringScansEmails: [ + 'test1@contoso.com' + 'test2@contoso.com' + ] + recurringScansIsEnabled: true + storageAccountResourceId: '' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "name": { + "value": "sqlswaf" + }, + "administratorLogin": { + "value": "adminUserName" + }, + "administratorLoginPassword": { + "value": "" + }, + "databases": { + "value": [ + { + "backupLongTermRetentionPolicy": { + "monthlyRetention": "P6M" + }, + "backupShortTermRetentionPolicy": { + "retentionDays": 14 + }, + "capacity": 0, + "collation": "SQL_Latin1_General_CP1_CI_AS", + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "elasticPoolId": "", + "encryptionProtectorObj": { + "serverKeyName": "", + "serverKeyType": "AzureKeyVault" + }, + "licenseType": "LicenseIncluded", + "maxSizeBytes": 34359738368, + "name": "sqlswafdb-001", + "skuName": "ElasticPool", + "skuTier": "GeneralPurpose" + } + ] + }, + "elasticPools": { + "value": [ + { + "maintenanceConfigurationId": "", + "name": "sqlswaf-ep-001", + "skuCapacity": 10, + "skuName": "GP_Gen5", + "skuTier": "GeneralPurpose" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "firewallRules": { + "value": [ + { + "endIpAddress": "0.0.0.0", + "name": "AllowAllWindowsAzureIps", + "startIpAddress": "0.0.0.0" + } + ] + }, + "keys": { + "value": [ + { + "name": "", + "serverKeyType": "AzureKeyVault", + "uri": "" + } + ] + }, + "location": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "primaryUserAssignedIdentityId": { + "value": "" + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "sqlServer", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "restrictOutboundNetworkAccess": { + "value": "Disabled" + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "securityAlertPolicies": { + "value": [ + { + "emailAccountAdmins": true, + "name": "Default", + "state": "Enabled" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "virtualNetworkRules": { + "value": [ + { + "ignoreMissingVnetServiceEndpoint": true, + "name": "newVnetRule1", + "virtualNetworkSubnetId": "" + } + ] + }, + "vulnerabilityAssessmentsObj": { + "value": { + "emailSubscriptionAdmins": true, + "name": "default", + "recurringScansEmails": [ + "test1@contoso.com", + "test2@contoso.com" + ], + "recurringScansIsEnabled": true, + "storageAccountResourceId": "" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/storage/storage-account/README.md b/modules/storage/storage-account/README.md index 137e38dee2..4add2e1cc2 100644 --- a/modules/storage/storage-account/README.md +++ b/modules/storage/storage-account/README.md @@ -46,6 +46,7 @@ The following section provides usage examples for the module, which were used to - [Using large parameter set](#example-3-using-large-parameter-set) - [Nfs](#example-4-nfs) - [V1](#example-5-v1) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Using only defaults_ @@ -1108,6 +1109,620 @@ module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module storageAccount 'br:bicep/modules/storage.storage-account:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-ssawaf' + params: { + // Required parameters + name: 'ssawaf001' + // Non-required parameters + allowBlobPublicAccess: false + blobServices: { + automaticSnapshotPolicyEnabled: true + containerDeleteRetentionPolicyDays: 10 + containerDeleteRetentionPolicyEnabled: true + containers: [ + { + enableNfsV3AllSquash: true + enableNfsV3RootSquash: true + name: 'avdscripts' + publicAccess: 'None' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + allowProtectedAppendWrites: false + enableWORM: true + metadata: { + testKey: 'testValue' + } + name: 'archivecontainer' + publicAccess: 'None' + WORMRetention: 666 + } + ] + deleteRetentionPolicyDays: 9 + deleteRetentionPolicyEnabled: true + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + lastAccessTimeTrackingPolicyEnabled: true + } + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + enableHierarchicalNamespace: true + enableNfsV3: true + enableSftp: true + fileServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + shares: [ + { + accessTier: 'Hot' + name: 'avdprofiles' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + shareQuota: 5120 + } + { + name: 'avdprofiles2' + shareQuota: 102400 + } + ] + } + largeFileSharesState: 'Enabled' + localUsers: [ + { + hasSharedKey: false + hasSshKey: true + hasSshPassword: false + homeDirectory: 'avdscripts' + name: 'testuser' + permissionScopes: [ + { + permissions: 'r' + resourceName: 'avdscripts' + service: 'blob' + } + ] + storageAccountName: 'ssawaf001' + } + ] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + managementPolicyRules: [ + { + definition: { + actions: { + baseBlob: { + delete: { + daysAfterModificationGreaterThan: 30 + } + tierToCool: { + daysAfterLastAccessTimeGreaterThan: 5 + } + } + } + filters: { + blobIndexMatch: [ + { + name: 'BlobIndex' + op: '==' + value: '1' + } + ] + blobTypes: [ + 'blockBlob' + ] + prefixMatch: [ + 'sample-container/log' + ] + } + } + enabled: true + name: 'FirstRule' + type: 'Lifecycle' + } + ] + networkAcls: { + bypass: 'AzureServices' + defaultAction: 'Deny' + ipRules: [ + { + action: 'Allow' + value: '1.1.1.1' + } + ] + virtualNetworkRules: [ + { + action: 'Allow' + id: '' + } + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'blob' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + queueServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + queues: [ + { + metadata: { + key1: 'value1' + key2: 'value2' + } + name: 'queue1' + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + } + { + metadata: {} + name: 'queue2' + } + ] + } + requireInfrastructureEncryption: true + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sasExpirationPeriod: '180.00:00:00' + skuName: 'Standard_LRS' + tableServices: { + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + tables: [ + 'table1' + 'table2' + ] + } + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "ssawaf001" + }, + // Non-required parameters + "allowBlobPublicAccess": { + "value": false + }, + "blobServices": { + "value": { + "automaticSnapshotPolicyEnabled": true, + "containerDeleteRetentionPolicyDays": 10, + "containerDeleteRetentionPolicyEnabled": true, + "containers": [ + { + "enableNfsV3AllSquash": true, + "enableNfsV3RootSquash": true, + "name": "avdscripts", + "publicAccess": "None", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "allowProtectedAppendWrites": false, + "enableWORM": true, + "metadata": { + "testKey": "testValue" + }, + "name": "archivecontainer", + "publicAccess": "None", + "WORMRetention": 666 + } + ], + "deleteRetentionPolicyDays": 9, + "deleteRetentionPolicyEnabled": true, + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "lastAccessTimeTrackingPolicyEnabled": true + } + }, + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enableHierarchicalNamespace": { + "value": true + }, + "enableNfsV3": { + "value": true + }, + "enableSftp": { + "value": true + }, + "fileServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "shares": [ + { + "accessTier": "Hot", + "name": "avdprofiles", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ], + "shareQuota": 5120 + }, + { + "name": "avdprofiles2", + "shareQuota": 102400 + } + ] + } + }, + "largeFileSharesState": { + "value": "Enabled" + }, + "localUsers": { + "value": [ + { + "hasSharedKey": false, + "hasSshKey": true, + "hasSshPassword": false, + "homeDirectory": "avdscripts", + "name": "testuser", + "permissionScopes": [ + { + "permissions": "r", + "resourceName": "avdscripts", + "service": "blob" + } + ], + "storageAccountName": "ssawaf001" + } + ] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "managementPolicyRules": { + "value": [ + { + "definition": { + "actions": { + "baseBlob": { + "delete": { + "daysAfterModificationGreaterThan": 30 + }, + "tierToCool": { + "daysAfterLastAccessTimeGreaterThan": 5 + } + } + }, + "filters": { + "blobIndexMatch": [ + { + "name": "BlobIndex", + "op": "==", + "value": "1" + } + ], + "blobTypes": [ + "blockBlob" + ], + "prefixMatch": [ + "sample-container/log" + ] + } + }, + "enabled": true, + "name": "FirstRule", + "type": "Lifecycle" + } + ] + }, + "networkAcls": { + "value": { + "bypass": "AzureServices", + "defaultAction": "Deny", + "ipRules": [ + { + "action": "Allow", + "value": "1.1.1.1" + } + ], + "virtualNetworkRules": [ + { + "action": "Allow", + "id": "" + } + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "blob", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "queueServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "queues": [ + { + "metadata": { + "key1": "value1", + "key2": "value2" + }, + "name": "queue1", + "roleAssignments": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + { + "metadata": {}, + "name": "queue2" + } + ] + } + }, + "requireInfrastructureEncryption": { + "value": true + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sasExpirationPeriod": { + "value": "180.00:00:00" + }, + "skuName": { + "value": "Standard_LRS" + }, + "tableServices": { + "value": { + "diagnosticSettings": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ], + "tables": [ + "table1", + "table2" + ] + } + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/synapse/private-link-hub/README.md b/modules/synapse/private-link-hub/README.md index 6e5a8a801c..c023d34f2e 100644 --- a/modules/synapse/private-link-hub/README.md +++ b/modules/synapse/private-link-hub/README.md @@ -30,6 +30,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -205,6 +206,132 @@ module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module privateLinkHub 'br:bicep/modules/synapse.private-link-hub:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-splhwaf' + params: { + // Required parameters + name: 'splhwaf001' + // Non-required parameters + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'Web' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: '/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "splhwaf001" + }, + // Non-required parameters + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "Web", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + }, + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "/providers/Microsoft.Authorization/roleDefinitions/b24988ac-6180-42a0-ab88-20f7382dd24c" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/synapse/workspace/README.md b/modules/synapse/workspace/README.md index d00edcb815..879cf28301 100644 --- a/modules/synapse/workspace/README.md +++ b/modules/synapse/workspace/README.md @@ -37,6 +37,7 @@ The following section provides usage examples for the module, which were used to - [Encrwuai](#example-3-encrwuai) - [Managedvnet](#example-4-managedvnet) - [Using large parameter set](#example-5-using-large-parameter-set) +- [WAF-aligned](#example-6-waf-aligned) ### Example 1: _Using only defaults_ @@ -507,6 +508,178 @@ module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = {

+### Example 6: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module workspace 'br:bicep/modules/synapse.workspace:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-swwaf' + params: { + // Required parameters + defaultDataLakeStorageAccountResourceId: '' + defaultDataLakeStorageFilesystem: '' + name: 'swwaf001' + sqlAdministratorLogin: 'synwsadmin' + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + logCategoriesAndGroups: [ + { + category: 'SynapseRbacOperations' + } + { + category: 'SynapseLinkEvent' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + initialWorkspaceAdminObjectID: '' + integrationRuntimes: [ + { + name: 'shir01' + type: 'SelfHosted' + } + ] + managedVirtualNetwork: true + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + service: 'SQL' + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + userAssignedIdentities: { + '': {} + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "defaultDataLakeStorageAccountResourceId": { + "value": "" + }, + "defaultDataLakeStorageFilesystem": { + "value": "" + }, + "name": { + "value": "swwaf001" + }, + "sqlAdministratorLogin": { + "value": "synwsadmin" + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "logCategoriesAndGroups": [ + { + "category": "SynapseRbacOperations" + }, + { + "category": "SynapseLinkEvent" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "initialWorkspaceAdminObjectID": { + "value": "" + }, + "integrationRuntimes": { + "value": [ + { + "name": "shir01", + "type": "SelfHosted" + } + ] + }, + "managedVirtualNetwork": { + "value": true + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "service": "SQL", + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "userAssignedIdentities": { + "value": { + "": {} + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/virtual-machine-images/image-template/README.md b/modules/virtual-machine-images/image-template/README.md index d5d30e9144..d58507d074 100644 --- a/modules/virtual-machine-images/image-template/README.md +++ b/modules/virtual-machine-images/image-template/README.md @@ -29,6 +29,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -292,6 +293,178 @@ module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module imageTemplate 'br:bicep/modules/virtual-machine-images.image-template:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-vmiitwaf' + params: { + // Required parameters + customizationSteps: [ + { + restartTimeout: '10m' + type: 'WindowsRestart' + } + ] + imageSource: { + offer: 'Windows-11' + publisher: 'MicrosoftWindowsDesktop' + sku: 'win11-22h2-avd' + type: 'PlatformImage' + version: 'latest' + } + name: 'vmiitwaf001' + userMsiName: '' + // Non-required parameters + buildTimeoutInMinutes: 60 + enableDefaultTelemetry: '' + imageReplicationRegions: [] + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedImageName: 'mi-vmiitwaf-001' + osDiskSizeGB: 127 + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sigImageDefinitionId: '' + sigImageVersion: '' + stagingResourceGroup: '' + subnetId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + unManagedImageName: 'umi-vmiitwaf-001' + userAssignedIdentities: [ + '' + ] + userMsiResourceGroup: '' + vmSize: 'Standard_D2s_v3' + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "customizationSteps": { + "value": [ + { + "restartTimeout": "10m", + "type": "WindowsRestart" + } + ] + }, + "imageSource": { + "value": { + "offer": "Windows-11", + "publisher": "MicrosoftWindowsDesktop", + "sku": "win11-22h2-avd", + "type": "PlatformImage", + "version": "latest" + } + }, + "name": { + "value": "vmiitwaf001" + }, + "userMsiName": { + "value": "" + }, + // Non-required parameters + "buildTimeoutInMinutes": { + "value": 60 + }, + "enableDefaultTelemetry": { + "value": "" + }, + "imageReplicationRegions": { + "value": [] + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedImageName": { + "value": "mi-vmiitwaf-001" + }, + "osDiskSizeGB": { + "value": 127 + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sigImageDefinitionId": { + "value": "" + }, + "sigImageVersion": { + "value": "" + }, + "stagingResourceGroup": { + "value": "" + }, + "subnetId": { + "value": "" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + }, + "unManagedImageName": { + "value": "umi-vmiitwaf-001" + }, + "userAssignedIdentities": { + "value": [ + "" + ] + }, + "userMsiResourceGroup": { + "value": "" + }, + "vmSize": { + "value": "Standard_D2s_v3" + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/connection/README.md b/modules/web/connection/README.md index bdb9491881..682936b91b 100644 --- a/modules/web/connection/README.md +++ b/modules/web/connection/README.md @@ -27,6 +27,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.connection:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -126,6 +127,104 @@ module connection 'br:bicep/modules/web.connection:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module connection 'br:bicep/modules/web.connection:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wcwaf' + params: { + // Required parameters + displayName: 'azuremonitorlogs' + name: 'azuremonitor' + // Non-required parameters + api: { + id: '' + } + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "displayName": { + "value": "azuremonitorlogs" + }, + "name": { + "value": "azuremonitor" + }, + // Non-required parameters + "api": { + "value": { + "id": "" + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/serverfarm/README.md b/modules/web/serverfarm/README.md index 4dc832d2b9..0f9579209f 100644 --- a/modules/web/serverfarm/README.md +++ b/modules/web/serverfarm/README.md @@ -28,6 +28,7 @@ The following section provides usage examples for the module, which were used to >**Note**: To reference the module, please use the following syntax `br:bicep/modules/web.serverfarm:1.0.0`. - [Using large parameter set](#example-1-using-large-parameter-set) +- [WAF-aligned](#example-2-waf-aligned) ### Example 1: _Using large parameter set_ @@ -161,6 +162,138 @@ module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = {

+### Example 2: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module serverfarm 'br:bicep/modules/web.serverfarm:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wsfwaf' + params: { + // Required parameters + name: 'wsfwaf001' + sku: { + capacity: '1' + family: 'S' + name: 'S1' + size: 'S1' + tier: 'Standard' + } + // Non-required parameters + diagnosticSettings: [ + { + eventHubAuthorizationRuleResourceId: '' + eventHubName: '' + metricCategories: [ + { + category: 'AllMetrics' + } + ] + name: 'customSetting' + storageAccountResourceId: '' + workspaceResourceId: '' + } + ] + enableDefaultTelemetry: '' + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "wsfwaf001" + }, + "sku": { + "value": { + "capacity": "1", + "family": "S", + "name": "S1", + "size": "S1", + "tier": "Standard" + } + }, + // Non-required parameters + "diagnosticSettings": { + "value": [ + { + "eventHubAuthorizationRuleResourceId": "", + "eventHubName": "", + "metricCategories": [ + { + "category": "AllMetrics" + } + ], + "name": "customSetting", + "storageAccountResourceId": "", + "workspaceResourceId": "" + } + ] + }, + "enableDefaultTelemetry": { + "value": "" + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters diff --git a/modules/web/static-site/README.md b/modules/web/static-site/README.md index ebd2b09d90..98a80f18d6 100644 --- a/modules/web/static-site/README.md +++ b/modules/web/static-site/README.md @@ -33,6 +33,7 @@ The following section provides usage examples for the module, which were used to - [Using only defaults](#example-1-using-only-defaults) - [Using large parameter set](#example-2-using-large-parameter-set) +- [WAF-aligned](#example-3-waf-aligned) ### Example 1: _Using only defaults_ @@ -254,6 +255,178 @@ module staticSite 'br:bicep/modules/web.static-site:1.0.0' = {

+### Example 3: _WAF-aligned_ + +This instance deploys the module in alignment with the best-practices of the Azure Well-Architected Framework. + + +

+ +via Bicep module + +```bicep +module staticSite 'br:bicep/modules/web.static-site:1.0.0' = { + name: '${uniqueString(deployment().name, location)}-test-wsswaf' + params: { + // Required parameters + name: 'wsswaf001' + // Non-required parameters + allowConfigFileUpdates: true + appSettings: { + foo: 'bar' + setting: 1 + } + enableDefaultTelemetry: '' + enterpriseGradeCdnStatus: 'Disabled' + functionAppSettings: { + foo: 'bar' + setting: 1 + } + linkedBackend: { + resourceId: '' + } + lock: { + kind: 'CanNotDelete' + name: 'myCustomLockName' + } + managedIdentities: { + systemAssigned: true + userAssignedResourcesIds: [ + '' + ] + } + privateEndpoints: [ + { + privateDnsZoneResourceIds: [ + '' + ] + subnetResourceId: '' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } + ] + roleAssignments: [ + { + principalId: '' + principalType: 'ServicePrincipal' + roleDefinitionIdOrName: 'Reader' + } + ] + sku: 'Standard' + stagingEnvironmentPolicy: 'Enabled' + tags: { + Environment: 'Non-Prod' + 'hidden-title': 'This is visible in the resource name' + Role: 'DeploymentValidation' + } + } +} +``` + +
+

+ +

+ +via JSON Parameter file + +```json +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#", + "contentVersion": "1.0.0.0", + "parameters": { + // Required parameters + "name": { + "value": "wsswaf001" + }, + // Non-required parameters + "allowConfigFileUpdates": { + "value": true + }, + "appSettings": { + "value": { + "foo": "bar", + "setting": 1 + } + }, + "enableDefaultTelemetry": { + "value": "" + }, + "enterpriseGradeCdnStatus": { + "value": "Disabled" + }, + "functionAppSettings": { + "value": { + "foo": "bar", + "setting": 1 + } + }, + "linkedBackend": { + "value": { + "resourceId": "" + } + }, + "lock": { + "value": { + "kind": "CanNotDelete", + "name": "myCustomLockName" + } + }, + "managedIdentities": { + "value": { + "systemAssigned": true, + "userAssignedResourcesIds": [ + "" + ] + } + }, + "privateEndpoints": { + "value": [ + { + "privateDnsZoneResourceIds": [ + "" + ], + "subnetResourceId": "", + "tags": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + ] + }, + "roleAssignments": { + "value": [ + { + "principalId": "", + "principalType": "ServicePrincipal", + "roleDefinitionIdOrName": "Reader" + } + ] + }, + "sku": { + "value": "Standard" + }, + "stagingEnvironmentPolicy": { + "value": "Enabled" + }, + "tags": { + "value": { + "Environment": "Non-Prod", + "hidden-title": "This is visible in the resource name", + "Role": "DeploymentValidation" + } + } + } +} +``` + +
+

+ ## Parameters